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Preface 



The 10th Annual ASIACRYPT 2004 was held in Jeju Island, Korea, dur- 
ing December 5-9, 2004. This conference was organized by the International 
Association for Cryptologic Research (lACR) in cooperation with KIISC (Ko- 
rean Institute of Information Security and Cryptology) and IRIS (International 
Research center for Information Security) at ICU (Information and Communica- 
tions University), and was financially supported by MIC (Ministry of Information 
and Communication) in Korea. 

The conference received, from 30 countries, 208 submissions that represent 
the current state of work in the cryptographic community worldwide, covering 
all areas of cryptologic research. Each paper, without the authors’ information, 
was reviewed by at least three members of the program committee, and the 
papers (co-)authored by members of the program committee were reviewed by 
at least six members. We also blinded the reviewers’ names among the reviewers 
until the final decision, by using pseudonyms. The reviews were then followed 
by deep discussions on the papers, which greatly contributed to the quality of 
the final selection. In most cases, extensive comments were sent to the authors. 

Among 208 submissions, the program committee selected 36 papers. Two 
submissions were merged into a single paper, yielding the total of 35 papers 
accepted for presentation in the technical program of the conference. Many high- 
quality works could not be accepted because of the competitive nature of the 
conference and the challenging task of selecting a program. These proceedings 
contain revised versions of the accepted papers. These revisions have not been 
checked for correctness, and the authors bear full responsibility for the contents 
of their papers. 

This was the first year in which the program committee selected a recipient 
for the Best Paper Award for the ASIACRYPT conference after lengthy dis- 
cussion on its procedure and voting among program committee members. The 
winner of the prize for the Best Paper was Claus Diem from the University of 
Essen for his paper “The XL-algorithm and a Conjecture from Commutative 
Algebra.” 

The conference program included two invited lectures. Adi Shamir, from 
the Weizmann Institute of Science, Israel, talked on “Stream Ciphers: Dead or 
Alive?,” and Ho-Ick Suk, the Deputy Minister for Informatization Planning at 
MIC of Korea, talked on “Information Security in Korea IT839 Strategy.” In 
addition, the conference also included one rump session, chaired by Moti Yung, 
which featured short informal talks. 

I wish to thank the program committee, whose members worked very hard 
over several months. I am also very grateful to the external referees who con- 
tributed with their special expertise to the selection process. Their work is highly 
appreciated. 

The submission of all papers was received electronically using Web-based 
submission software which was provided by Chanathip Namprempre with modi- 
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fications by Andre Adelsbach. During the review process, the program committee 
was mainly communicated using the Web-based review software developed by 
Bart Preneel, Wim Moreau, and Joris Claessens. 

It is my pleasure to thank the General Chair, Prof. Kwangjo Kim, for all his 
work in organizing the conference, and for the pleasant collaboration and various 
pieces of advice. In addition, I would like to extend my gratitude to the members 
of the local organizing committee. For financial support of the conference, the 
organizing committee and I gratefully acknowledge the Ministry of Information 
and Communication (MIC) of Korea. 

I am also grateful to the secretariat of the program committee. Special 
thanks to Sung Ho Yoo and Young Tae Youn for maintaining both the submis- 
sion server and the review server, and to Yong Ho Hwang and Yeon Hyeong 
Yang who served as technical assistants to the chairs and helped me with the 
various technical aspects of running the committee and preparing the conference 
proceedings, and to others for miscellaneous jobs. 

Finally, we would like to thank all the other people who provided any as- 
sistance, and all the authors who submitted their papers to ASIACRYPT 2004, 
as well as all the participants from all over the world. 



December 2004 



Pil Joong Lee 
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Abstract. We study a recently proposed design approach of Feistel ci- 
phers which employs optimal diffusion mappings across multiple rounds. 
This idea was proposed by Shirai and Shibutani at FSE2004, and the 
technique enables to improve the immunity against either differential 
or linear cryptanalysis (but not both) . In this paper, we present a the- 
oretical explanation why the new design using three different matrices 
achieves the better immunity. In addition, we are able to prove conditions 
to improve the immunity against both differential and linear cryptanal- 
ysis. As a result, we show that this design approach guarantees at least 
R{m + 1) active S-boxes in 3R consecutive rounds {R > 2) where m is the 
number of S-boxes in a round. By using the guaranteed number of active 
S-boxes, we compare this design approach to other well-known designs 
employed in SHARK, Rijndael, and MDS-Feistel ciphers. Moreover, we 
show interesting additional properties of the new design approach. 

Keywords: optimal diffusion mapping, Eeistel cipher, active S-boxes, 
MBS. 



1 Introduction 

A Feistel structure is one of the most widely used and best studied structures 
for the design of block ciphers. It was first proposed by H. Feistel in 1973; 
subsequently the structure was adopted in the well-known block cipher DES [5,6]. 
The main advantage of the Feistel structure is its involution property, which 
provides flexible designs of the underlying F-functions. During the 30 year history 
of modern block ciphers, extensive studies have been made on Feistel structure [8, 
11,14]. Currently, many well-known block ciphers, e.g. Camellia [1], Misty [10], 
RC6 [13], Twofish [15], employed the design of Feistel structures. 

Recently, Shirai and Shibutani proposed a novel design approach of Feistel 
ciphers based on the concept of optimal diffusion mappings [18]. An optimal dif- 
fusion is a linear function with maximum branch number; the concept of optimal 
diffusion is used in the design of AES and many other cryptographic primitives [2, 



* A guest researcher at ESAT/SCD-COSIC, K.U. Leuven from 2003 to 2004. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 1-15, 2004. 
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15,12,4]. From their empirical analytic results, the immunity against either dif- 
ferential and linear cryptanalysis (but not both) would be strengthened signifi- 
cantly if the linear diffusion layer of the Feistel structure satisfies special optimal 
diffusion conditions across multiple rounds. In this way difference cancellation in 
the Feistel structure caused by a small number of active S-boxes will not occur. 
This result opened a new line of research on the Feistel structure. A theoretical 
proof of the effectiveness of the proposed design and a solution to improve the 
immunity against both differential and linear cryptanalysis remained unsolved. 

In this paper, we will call the “Optimal Diffusion Mappings across Multi- 
ple Rounds” design approach of Feistel ciphers the ODM-MR design. Our con- 
tribution is that we first give a theoretical explanation of the effectiveness of 
the ODM-MR design implied by Shirai and Shibutani. Second, we found new 
conditions and proofs to improve the immunity of both differential and linear 
cryptanalysis. Let m be the number of S-boxes in an F-function. As a result, 
by combining previous and novel conditions, we finally show that Feistel ciphers 
with the ODM-MR design guarantees R{m-\-l) active S-boxes in 3i? consecutive 
rounds for i? > 2. 

In order to further investigate the properties of the ODM-MR design, we 
compare the ratio of guaranteed active S-boxes to all employed S-boxes of the 
ODM-MR design to other design approaches employed in MDS-Feistel, SHARK 
and AES/Rijndael. All of them use optimal diffusion mappings in their linear 
diffusion. Consequently, in 128-bit block and 8-bit S-box settings, we obtain a 
limit of 0.371 for the active S-box ratio of ODM-MR design when the number 
r of rounds goes to infinity, which means that we can guarantee 37.1% active 
S-boxes with this design strategy. This result is apparently better than MDS- 
Feistel’s ratio of 0.313. Moreover we show that for the number of S-boxes in an 
F-function and the round number go to infinity, the converged ratio of ODM- 
MR is 0.333. This is better than Rijndael-type diffusion layer’s ratio 0.250. From 
these limit values, we can conclude that ODM-MR performs better than the other 
approaches in certain settings. 

This paper is organized as follows: in Sect. 2, we introduce some definitions 
used in this paper. Previous works including ODM-MR design approach are 
shown in Sect. 3. We prove in Sect. 4 the theorems regarding ODM-MR as our 
main contribution. In Sect. 5, we discuss the new design by presenting some 
numerical values. Finally Sect. 6 concludes the paper. The method to construct 
the concrete Feistel ciphers with ODM-MR design is proposed in Appendix A. 



2 Preliminaries 

In this paper, we treat the typical Feistel structure, which is called a balanced 
Feistel structure. It is defined as follows [14]. 

Definition 1. (Balanced Feistel Structure) 

Let E : {0, 1}^ x {0, 1}*’ ^ {0, 1}** he a b-bit block cipher (for b even) with a k-bit 
key. Let r be the number of rounds, ki G {0, 1}*’ he the k' -hit round key provided 
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by a key scheduling algorithm and Xi € {0, 1}^/^ he intermediate data, and let 
Fi : {0, 1}*^ X {0, ^ {0, he the F-function of the i-th round. The 

encryption and decryption algorithm of a balanced Feistel Cipher E are defined 
as follows 

Algorithm Feistel .Encrypt k {P) Algorithm E eistel .Decrypt k{C) 

input P G {0, l}^ K G {0, 1}'= input C G {0, l}^ K G {0, 1}'= 

xo ^ msbi,/2{P), xi ^ lsbi,/2{P) xq ^ msbi,/2{C), xi ^ lsbi,/2{C) 

for i = 1 to r do for z = 1 to r do 

Xi-\-1 — Eii^ki, Xj) (33 Xi—1 Xi-^± — Ei{kj.—iJ,.\, xf^ (33 Xi—\ 

msbi,/ 2 (C) ^ 

^r + 1 ; lsh/ 2 {C) ^ Xr msbb/ 2 {P) ^ Xr+ 1 , lsbi,/ 2 {P) ^ Xr 
return C G {0, 1}^ return P G {0, 1}^ 

where msbx{y) (lsbx{y)) represents the most (least) significant x-bit of y. 

Then we define SP-type F-functions which are a special type of F-function 
constructions [17,7]. 

Definition 2. (SP-Type F-Function) 

Let the length of round key k' = bj2. Let m he the number of S-boxes in a round, 
and n he the size of the S-hoxes, with mn = h/2. Let Sij : {0, 1}” ^ {0, 1}” be 
the j-th S-hox in the i-th round, and let Si : {0, 1}^/^ ^ {0, 1}^/^ be the function 
generated by concatenating m S-boxes in the i-th round. Let Pi : {0, 1}^/^ ^ 
{0, he the linear Boolean function. 

Then SP-type F-functions are defined as Fi{xi,ki) = Pi{Si{xi 0 ki)). Note 
that we define the intermediate variables Zi = Stfxi 0 ki). 

Definition 3. ((m,n,r)-SPMFC) 

An {m,n,r)-SPMFC is defined as an r-round Feistel cipher with SP-type round 
function using m n-bit S-boxes, and for which all Sij, Pi are hijective. An mn x 
mn matrix Mi {1 < i < r) over GF(2) denotes a matrix representation of a 
linear Boolean function Pi of (to, n, r)-SPMFC. 

We also give definitions of bundle weight and branch number [4] . 

Definition 4. (Bundle Weight) 

Let X G {0,1}*", where x is represented as a concatenation of n-bit values as 
X = [xqXi . . .Xk-i], Xi G (0, 1}", then the bundle weight Wn{x) of x is defined as 

^n{x) — ([{(r^jxj yf 0} . 

Definition 5. (Branch Number) 

Let 9 : (0, 1}*" ^ (0, 1}*". The branch number of 9 is defined as 
B{9) = min{'u;„(a) 0 w„(6»(a))j . 

a^O 
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Remark 1. The maximum branch number is ,8(0) = 1 + 1. If a linear function has 
a maximum branch number, it is called an optimal diffusion mapping [2]. 
It is known that an optimal diffusion mapping can be obtained from maximum 
distance separable codes known as MDS codes [4]. 

3 Previous Work 

The precise estimation of the lower bound of the number of active S-boxes of 
block ciphers has been known as one of the practical means to evaluate ci- 
phers, because this lower bound can be used to calculate the upper bound of 
the differential characteristic probability or the linear characteristic probabil- 
ity [9,3,1,17,7,4]. Shimizu has shown a conjectured lower bound of the number 
of differentially and linearly active S-boxes for certain (to, n, r)-SPMFC block 
ciphers, in which a unique optimal diffusion mapping is repeatedly used in all 
F-functions [16]. Since such optimal diffusion mappings can be obtained from a 
generation matrix of an MDS code, we call the design MDS-Feistel [4,2, 18]. 

Shimizu showed the following formula. 

Conjecture 1. Let A be an mn x mn matrix over GF(2) of an optimal diffusion 
mapping with maximum branch number to + 1. Let E be an (to, n, r)-SPMFC 
block cipher and all matrices of diffusion layers are represented by the unique 
matrix Mi = A (1 < i < r). Then a lower bound of the differentially and linearly 
active S-boxes of E is conjectured as 

L(r) = [r/4j (to + 2) + (r mod 4) — 1 . (1) 

In Table 1, the columns indicated by ‘Ml’ show the conjectured lower bounds 
of number of active S-boxes, and the data of the conjectured values are plotted 
on the left side of Fig. 3. This simple relation between the round number and the 
guaranteed number of active S-boxes is considered as a useful tool for evaluating 
similar kinds of block cipher designs. While this conjecture has not been proved, 
empirically, it has been partially confirmed [18]. 

Recently, at FSE 2004, Shirai and Shibutani proposed a novel design approach 
to improve the minimum number of active S-boxes of Feistel ciphers by employ- 
ing optimal diffusion mappings across multiple round functions, the ODM-MR 
design approach [18]. By carefully analyzing the difference cancellations, they 
found the following properties: 

Property 1. Let E be an (to, n, r)-SPMFC block cipher. 

— For matrices Mi (1 < t < r), if every concatenation of two matrices Mj 
and Mj +2 for all possible j, denoted by [Mj\Mj+ 2 ], is an optimal diffusion 
mapping, the minimum number of differentially active S-boxes is increased 
from an MDS-Feistel cipher. 

~ Additionally, if each concatenation of three matrices Mj, Mj +2 and Mj +4 for 
all possible j, denoted by [Mj\Mj+ 2 \Mj+ 4 ], is an optimal diffusion mapping, 
the minimum number of differentially active S-boxes is increased further 
than when only satisfying the above conditions on two matrices. 
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— Even if the number of concatenated matrices is larger than 3, no explicit 
gain of the number of active S-boxes has been observed in their simulations. 

These results imply that by avoiding a linear correlation between F-functions 
in round (i,i + 2) or rounds {i, i + 2, t + 4), the ODM-MR construction guarantees 
more active S-boxes. 

In Table 1, the columns indicated by ‘D’ show the result of the improved min- 
imum number of differentially active S-boxes when every concatenated matrix 
of three matrices [Mi|Mj+ 2 |-^i-i- 4 ] is an optimal diffusion mapping. The graph 
of the corresponding values are shown on the left side of Fig. 2. 

This result opened a new line of research on developing more efficient Feistel 
ciphers. On the other hand a theoretical justification of the gain of the proposed 
construction and an explicit method to improve the immunity against both dif- 
ferential and linear cryptanalysis remained unsolved. 



4 Proofs of Effectiveness of the ODM-MR Design 

In this section, we provide the first proofs for the effectiveness of the ODM- 
MR design using three different matrices. We also show an additional condition 
and some proofs in order to improve the lower bound of linearly active S-boxes 
by using two different matrices. Our main contribution is to show the following 
corollary which presents a simple relation between the number of rounds and the 
guaranteed numbers of active S-boxes in the ODM-MR design. In the corollary, 
note that denotes the transpose matrix of a matrix M. 

Corollary 1. Let E he a (m,n,r)-SPMFC block cipher where r > 6. 

// [Mj|Mi_|_ 2 |Mi+ 4 ] and optimal diffusion mappings for anyi,j 

(1 <t<r — 4, 1 < j < r — 2), respectively, any 3R consecutive rounds {R > 2) 
in E guarantee at least R{m -\- 1) differentially and linearly active S-boxes. 

Fig. 1 illustrates the statement of the corollary. By using the Corollary 1, 
we can guarantee theoretically arbitrary number of active S-boxes by increasing 
the number of rounds. Since the corollary can be immediately obtained from 
two theorems, i.e. Theorem 1 and Theorem 2, the following two subsections are 
devoted to the proofs of these theorems. To ease the proofs, we first introduce 
an additional definition. 

Definition 6. Consider a differential characteristic or linear approximation. 
Let Di and Li denote the number of differentially and linearly active S-boxes 
in the i-th round, respectively. These values are determined by the difference 
Axi, Azi or by the linear mask Exi, Ezt as follows. 

Di= Wn{Axi) = Wn{Azi) , Li = Wn{EXi) = Wn{E Zi) , 

where Wn{-) is the bundle weight as defined in Definition f. 
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12-round: 4(m + 1) active S-boxes are guaranteed 




Fig. 1. Guaranteed Active S-boxes by ODM-MR design 



Remark 2. Note that a given difference characteristic always contains a nonzero 
input difference, since any (to, n, r)-SPMFC’s F-functions are bijective. Hence 
we obtain the following conditions: 

(dO) A = 0 ^ A-2 7^ 0, A-i 7^ 0, Di+i yf 0, Di+2 7^ 0 , 

(dl) A = 0 ^ A-i = A+i ■ 

Since a linear approximation always contains a nonzero input mask, we obtain 
(10) A = 0 ^ A-2 7^ 0, A-i 7^ 0, A+i 7^ 0, A-i-2 7^ 0 , 

(/I) = 0 L-i—\ = . 

4.1 Proofs for the Lower Bound of Differentially Active S-Boxes 

In this section we prove Theorem 1; the proof is based on five lemmata. 

Lemma 1 shows relations between A of (to, n, r)-SPMFC when every Mi is 
an optimal diffusion mapping. 

Lemma 1. Let E be an {m,n,r)-SPMFC block cipher. If every Mi has maxi- 
mum branch number to -I- 1, then E satisfies the following condition (d2). 

(d2) Di^i ^ Q Di -\- Di^i -b Di^2 > to -b 1 . 

Proof. From the relation between the differences Azi.\.\,Axi and Axi +2 in a 3 
consecutive rounds, we obtain the following equation. 

M^+iAzi+i = Axi 0 Ax^+2 ■ 

Since Mi has maximum branch number to 0 1 we have 

Wn(Azi+i) 7^ 0 ^ Wn(Azi+i) 0 Wn{Axi © Ax^+2) > TO 0 1 . (2) 

Eq. (2) and the inequality Wn(Axi) 0 w„(Z\xi+ 2 ) > Wn{Axi © Axi+ 2 ) yield 
(d2). □ 
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Remark 3. By combining Remark 2 and (c?2), we can obtain additional under- 
lying conditions (d3) and (d4). 

(d3) Di = 0,^ Di+i + D%+2 > m -|- 1 , 

(d4) -Di+2 = 0, Di -h -Di+i > TO -h 1 . 

Equations (c?3) and (d4) mean that if round k has no active S-boxes, any 
2 consecutive rounds next to round k always contain more than to -I- 1 active 
S-boxes. 

Next, we show the property of (to, n, r)-SPMFC in which every [Mi\Mi+ 2 ] is 
an optimal diffusion mapping. This is true for the ODM-MR. 

Lemma 2. Let E be a (m,n,r)-SPMFC block cipher. If every [Mi\Mi+ 2 ] has 
maximum branch number m+ 1, E satisfies the following conditions (d5), (d6). 

(d5) Dij^4^ = 0 ^ Di + Di^i + T^i+3 > TO -|- 1 , 

(d6) Di = 0 ^ Di^i + > TO -|- 1 . 

Proof. From the relation between 5-round differences, 

Mi+iAzi+i 0 Mi+^Azi+z = Axi 0 Axi+i . 



Then, 

[M,+i|M,+3] 0 Ax,+4 . 

Since [Mi+i|Mj+ 3 ] has maximum branch number to 0 1, and from Remark 2, 
we see that w„(Z\zi+i) = 0 and WniAzi+s) = 0 will never occur simultaneously, 
we obtain 



Wn{AZi+i) + Wn{Azi+z) + Wn{Axi 0 Ax^+4) > TO 0 1 . 

By assuming the cases Axi = 0 or Z\a;j +4 = 0, we directly obtain (d5) and 

(d6). □ 

By using the previously obtained conditions (dO) — (d6), we show the following 
lemma for the guaranteed number of differentially active S-boxes of (to, n, r)- 
SPMFC. 

Lemma 3. Let E be a (m,n,r)-SPMFC block cipher where r > 6. If every 
[Mi\Mi+ 2 ] is an optimal diffusion mapping, then any 6 consecutive rounds in 
E guarantee at least 2(to + 1) differentially active S-boxes. 

Proof. Consider the total number of active S-boxes in 6 consecutive rounds from 
the i-th round, 

i+5 

Dk = Di Di4_i 0 Di+2 + Di+3 + Di+4 + Di+5 . 

k—i 
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If Z?i+i 7 ^ 0 and Z?i +4 ^ 0, the condition (d2) guarantees that Di + Z?i+i + 
-Di +2 > TO + 1 and Z?i _|_3 + I?j +4 + > m + 1. Therefore we obtain ^ 

2(m + 1). 

If A+i = 0, 

z+5 

+ ^i+2 + ^z+3 + ^z+4 + -^z+5 ■ 

k—i 

From (dl), 

i+5 

Dk = 2 • Z?i4-2 + T^i+3 + ^i+4 + ^i+5 

k—i 

= (^i+2 + -Di+3) + (-Di+2 + -Di +4 + -Di+s) . 

From (d3) and (d6), 

i+5 

^ L>fc > (m + I) + (m + I) = 2 (to + I) . 

k=i 

The case of Z?i +4 = 0 is proven similarly from (dl), (d4) and (d5). □ 

Next, we show the property of an (m, n, r)-SPMFC in which every 
[Mi|Mi+ 2 |-^i+ 4 ] has maximum branch number. This coincides with one of the 
ODM-MR design. 

Lemma 4. Let E he a (m,n,r)-SPMFC block cipher. If every [Mj|Mj+ 2 |Mi+ 4 ] 
is an optimal diffusion mapping, then E satisfies the following condition {dJ). 

{dl) Di = Dij^(, = 0 ^ + Dij^i, + Di+5 > TO + 1 . 

Proof. First, from the difference relation in 7 consecutive rounds, we obtain 
Mi+iAzi+i 0 Mj+3Z\2i+3 0 Mi+nAzi+5 = Axi 0 Axi+Q . 



Then, 

/ \ 

[Adj_|_i|Mi_|_3|Mi+5] I Zizi+3 1 =Axi®AxiJ^Q . 

\Z\Zi+5 / 

Since [Mi.\.i\Mi+^\Mij^f\ has maximum branch number, and from Remark 2, 
Wn{Azi+i), Wn{Azi+f), and Wn(Azi+ 5 ) cannot be simultaneously 0, we get that 



w„(Az„+i) + w„(Azi+ 3 ) + iv„(Azi+ 5 ) + w„(Axi 0 Axi+e) >m+l. 

By assuming Axi = 0 and Axi+Q = 0, we derive the condition {dl). □ 

From the additional condition {dl), we derive the following lemma. 

Lemma 5. Let E he a (m,n,r)-SPMFC block cipher where r > 9. If every 
[Mi\Mi^ 2 \Mi+ 4 ] is an optimal diffusion mapping, then any 9 consecutive rounds 
in E guarantee at least 3(to + 1) differentially active S-hoxes. 
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Proof. Consider the total number of active S-boxes in 9 consecutive rounds, 

i+8 

Dk = D% + Di+l + Di+2 + ^i+3 + ^i+4 + ^i+5 + + -Di_|_g . 

k—i 

If Di+i 0 then Di + Di+i + Dt +2 > to+ 1 from (d2), and Lemma 3 guaran- 
tees that the sum of the remaining 6 consecutive rounds is equal to X)sS +3 > 
2(m -I- 1). Consequently > 3(m -I- 1). Similarly, if Di+r yf 0, at least 

3(m -I- 1) active S-boxes are guaranteed. 

If Z?i+i = Di +7 = 0, we obtain 

i-|-8 

Dk = Di + I?i+2 + Di+3 + + Di4_Q + Z?i+8 • 

k—i 

From (dl), 

i-l-8 

Dk = 2 • Di+2 + Dj+3 -|- Di+4 -|- Di+5 -|- 2 • Di+g 

k—i 

= (^i+2 + -Di+s) + (Di+2 + Di+4 -I- Di+g) -I- (Di+5 -I- Di+g) . 
From (d3), (d7) and (d4), 

i-l-8 

Dfc > (to -I- 1) -I- (m -I- 1) -I- (to -I- 1) = 3(to -I- I) . 

k—i 

As a consequence, we have shown that any 9 consecutive rounds of E guar- 
antee at least 3 (to -I- 1) differentially active S-boxes. □ 

We conclude this section with 

Theorem 1. Let E be an {m,n,r)-SPMFC bloek cipher where r > 6. If every 
[Mi|Mi+ 2 |Mi+ 4 ] is an optimal diffusion mapping, any 3R consecutive rounds in 
E guarantees at least R{m + 1) differentially active S-boxes. 

Proof. Any integer 3i? {R > 2) can be written as 3R = 6k-\- 9j {k-\- j > 1, 2k -\- 
3j = R). From lemmata 3 and 5, 6 and 9 consecutive rounds of E guarantee 
2 (to -I- 1) and 3 (to -I- 1) differentially active S-boxes, respectively. Therefore, E 
guarantees fc*2(TO-|-l)-l-j*3(TO-|-l) = (2fc-|-3j)(TO-|- 1) = D(to-|- 1) differentially 
active S-boxes. □ 

4.2 Proofs for the Lower Bound of Linearly Active S-Boxes 

In this subsection, we will show the proof of the guaranteed number of linearly 
active S-boxes of (to, n, r)-SPMFC with ODM-MR design. 

Theorem 2. Let E be an {m,n,r)-SPMFC block cipher. If every 

is an optimal diffusion mapping for any i, any 3R consecutive rounds in E has 

at least R{m 1) linearly active S-boxes. 
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Proof. From the 3-round linear mask relation, 

Pxi+i = ^M-^Pzi 0 ^M-^.^rz^+2 ■ 

Then, 




Since has maximum branch number to 0 1, and from Remark 

2, Wn{r Zi) and Wn{r Zi+ 2 ) cannot be simultaneously 0, we obtain 



Wn{PZi) + Wn{rXt+i) + Wn{PZi+2) >1X1+1. 



By using the notion of Li, this implies, 

(11) Li + Li+i + ii+2 > TO 0 1 . 

This shows that every 3 consecutive rounds guarantees at least to 0 1 lin- 
early active S-boxes. Consequently, any 3i? consecutive rounds in E guarantees 
Eltf~'L,>R{m+l). □ 

Finally, by simply combining Theorems 1 and 2, the claimed Corollary 1 
follows directly. Appendix A contains example matrices that satisfy the ODM- 
MR design. 



5 Discussion 

5.1 Comparison of ODM-MR and MDS-Feistel 

To discuss the implications of this new design approach, we show empirical search 
results for the cases r = 12, to = 4, ..,8. To obtain these results we employed a 
weight based search method. This approach has been used by Shirai and Shibu- 
tani before [18]. Our results are shown in Table 1. In the table, the values for 
more than 13-rounds are interpolated by the corollary and Shimizu’s conjec- 
ture. Note that the simulation results completely match the lower bound values 
predicted by the corollary, which are denoted by the underlined values. These 
results show the superiority of ODM-MR design over MDS-Feistel explicitly. 

Fig. 2 shows graphs of the results in Table 1, and five auxiliary lines y = 
(to 0 l)a;/3 are added where to = 4, .., 8. These lines connect the lower bounds 
values of every 3i?-round. 

The left side of Fig. 3 shows an estimated lower bound of MDS-Feistel and 
approximate lines y = (TO02)a;/4— 1. To see the effect of the ODM-MR approach 
graphically, the right side of Fig. 3 includes the approximated lines for ODM-MR 
and MDS-Feistel for to = 4 and to = 8. The differences of the gradients show 
explicitly the advantage of the ODM-MR approach. 
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Table 1. Lower Bounds of MDS-Feistel and ODM-MR design 
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Ml: numbers of active S-boxes of MDS-Feistel 
D: numbers of differentially active S-boxes of ODM-MR 
L: numbers of linearly active S-boxes of ODM-MR 





Fig. 2. Lower bounds of the ODM-MR design (m = 8) 



5.2 Active S-Box Ratio 

In this subsection, we compare the ODM-MR approach to other design ap- 
proaches using the new type of approach. Since we obtained a formal bound 
for the lower bound of the ODM-MR design approach, we can compare it to 
other well known design approaches based on the concept of active S-box ratio 
introduced by Shirai and Shibutani [18]. 

Let active{r, m) be the number of guaranteed active S-boxes for an r-round 
cipher which employs m x m diffusion matrices over GF(2^) in its diffusion 
layer. For example, active{r,m) of the MDS-Feistel design can be written as 
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Fig. 3. Comparison of MDS-Feistel and ODM-MR design 



active{r, m) = (m + 2) [r/4j + j 

where = (j' mod 4) — 1. Generally, Or-.m is a function which maximum 

absolute value is proportional to m and limr^ooC(r,m/'i^ = 0- 

Next, let total{r, m) be the total number of S-boxes in an r-round cipher. The 
ratio of the number of active S-boxes to the total number of S-boxes becomes 



ratio{r, m) 



active{r, m) 
total{r, m) 



(w-f 2)[r/4j -H ar^rn 
rm 



By using the definition of active S-box ratio, we can study the characteristic of 
the MDS-Feistel design. For example, consider a 128-bit block cipher employing 
8-bit S-boxes. For m = 8, ratio{r, 8) will converge to a specific value when r goes 
to infinity. 



lim ratio{r, 8) = lim 

r — »-oo r— ^oo 



I0[r/4J -I- Urfi 
8r 



10 

32 



0.3125 . 



This implies that about 31% of all S-boxes will be active for a very large 
number of rounds. This limit can be considered as a potentially guaranteed 
ratio of active S-boxes corresponding to the chosen m. 

Also, we can take the limit of ratio{r, m) when both r and m tend to infinity. 



lim ratio{r, m) 

r,m — »-oo 



(m-|-2)[r/4j + ar,m 
rm 



- = 0.25 
4 



Even though huge r and m are not practical in the real world, the value can 
be understood as an indicator of the potential efficiency of a particular design 
strategy. 

We propose these limits as a reference to evaluate the efficiency of the linear 
diffusion layer of the cipher and use them to compare ciphers employing different 
design strategies. The following table contains the convergence values of the 
“MDS-Feistel” and the“ODM-Mi?” design. Additionally, the following “Rijndael 
type” and ’’SHARK type” design approaches are also evaluated for reference. 

Rijndael Type: A nm^-bit SPN block cipher design whose round function 
consists of key-addition, m x m parallel n-bit S-boxes, a MixColumn employing 
m m X m matrices over GF{2^) and a ShiftRow operation [4]. 
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Table 2. Comparison of the Active S-box Ratio 



Type 


active{r, m) 


totalir, m) 


128bit blk. linir^oo 


— »oo 


MDS-Feistel 


(m -\- 2)[r/4j -I- Or.m 


rm 


m 


= 8 


0.313 


0.25 


ODM-MR 


(m -1- 1) [r/3j -1- dr.m 


rm 


m 


= 8 


0.371 


0.33 


Rijndael type (m -I- 1)^ [r/4j -|- 7r,m 


rm? 


m 


= 4 


0.391 


0.25 


SHARK type 


(m -1- l)[r/2j -1- Or,,n 


rm 


m - 


= 16 


0.531 


0.5 



SHARK Type: A nm-bit SPN block cipher design where m parallel n-bit 
S-boxes, an TO X TO matrix over GF{2^) are employed [12]. 

Note that all four designs employ optimal diffusion mappings in their diffusion 
layers; they have block length of 128 bits with 8-bit S-boxes. The result shows 
that the ODM-MR approach has the better limit than MDS-Feistel in the 128- 
bit block setting which is also confirmed by the empirical results in the previous 
section. We also know that ODM-MR’s limit is closer to that of the Rijndael 
design approach than MDS-Feistel. 

Moreover, the limit value of the ODM-MR approach, when both r and to tend 
to infinity, exceeds that of the Rijndael type construction. This is due to the fact 
that the ODM-MR approach guarantees a certain number of active S-boxes for 

3 consecutive rounds, while the Rijndael-type approach has such a property for 

4 consecutive rounds. 

The values of SHARK are still the highest, because the design strategy has a 
2-round property. However, there seems to be a tradeoff for the implementation 
cost, as SHARK-type design requires matrices which are twice as large as the 
matrices in the MDS-Feistel and ODM-MR and four times as large as in the 
Rijndael approach. 



6 Conclusion 

We provide a theoretical motivation for the ODM-MR design. We first give a 
theoretical reason of ODM-MR, and found additional conditions and proofs to 
improve the immunity against differential and linear cryptanalysis. As a result, 
we showed that the ODM-MR design approach guarantees at least R{m -\- 1) 
active S-boxes in 3R consecutive rounds (i? > 2) where to is the number of S- 
boxes in a round. This guaranteed number of active S-boxes was compared with 
the design approach of other well-known designs namely SHARK, Rijndael, and 
MDS-Feistel ciphers. We were able to show that our design approach outperforms 
some of the other designs. 
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helpful comments. 
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Appendix A 

We show one of methods to construct a Feistel cipher satisfying the ODM-MR 
design. To construct a concrete cipher, at least three mxm matrices over GF'(2") 
are required to satisfy all the ODM-MR conditions. The construction steps are: 

1. Choose mxm matrices Aq, Ai, A 2 over GF(2") such that, 

(a) Every square submatrix of A 0 IA 1 IA 2 ] is nonsingular, 

(b) Every square submatrix of nonsingular. 

2. Set these three matrices as M 2 i+i = M 2 r- 2 i = A i mod 3, for (0 < f < r) in 
a Feistel cipher with 2r rounds. 



Note that all operations in Step 1 are over GE(2”) although the optimal 
diffusion conditions for [MiMj+ 2 Mj_|_ 4 ] and given over GF{2). 

Here we show an example of three matrices Aq, Ai, A 2 for the case m = 4. 

Example 1. The following matrices Aq, Ai, A 2 satisfy the ODM-MR conditions. 



/ 9d b4 d3 5d\ 




( ae ec b9 3e \ 




/ b8 fl 65 ef \ 


29 34 39 60 


, Ai = 


81 25 13 d4 


, A 2 = 


3a f6 2d 6a 


67 6a d2 e3 




db 9d 4 lb 




4a 97 a3 b9 


\8e d7 e6 lb J 




\9e 3a 91 39 ) 




\82 5f a2 cl / 



Each element is expressed as hexadecimal value corresponding to a binary 
representation of elements in GE(2®) with a primitive polynomial p{x) =x^-\- 
x^ -\- x^ -\- x^ -\- 1. From the corollary, a (4,8, 12)-SPNFC employing the above 
matrices Aq, Ai,A 2 as outlined in Fig. 4 guarantees 10, 15 and 20 differentially 
and linearly active S-boxes in 6, 9 and 12 consecutive rounds, respectively. 




Fig. 4. Example Allocation of Matrices Aq, Ai, A 2 
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Abstract. We describe highly efficient constructions, XE and XEX, 
that turn a blockcipher E\ K.X {0, 1}" — » {0, 1}" into a tweakable block- 
cipher E-. JC xT X {0, 1}" ^ {0, 1}" having tweak space T = {0, 1}" x I 
where I is a set of tuples of integers such as I = [1 .. 2"^^] x [0 .. 10]. When 
tweak T is obtained from tweak S by incrementing one if its numerical 
components, the cost to compute E]^{M) having already computed some 
E§^{M') is one blockcipher call plus a small and constant number of el- 
ementary machine operations. Our constructions work by associating 
to the i**' coordinate of I an element Oi € FJ™ and multiplying by ai 
when one increments that component of the tweak. We illustrate the use 
of this approach by refining the authenticated-encryption scheme OCB 
and the message authentication code PMAC, yielding variants of these 
algorithms that are simpler and faster than the original schemes, and yet 
have simpler proofs. Our results bolster the thesis of Liskov, Rivest, and 
Wagner [10] that a desirable approach for designing modes of operation 
is to start from a tweakable blockcipher. We elaborate on their idea, sug- 
gesting the kind of tweak space, usage-discipline, and blockcipher-based 
instantiations that give rise to simple and efficient modes. 



1 Introduction 

Liskov, Rivest and Wagner [10] defined the notion of a tweakable blockcipher and 
put forward the thesis that these objects make a good starting point for doing 
blockcipher-based cryptographic design. In this paper we describe a good way 
to build a tweakable blockcipher E out of an ordinary blockcipher E. Used as 
intended, our constructions, XE and XEX, add just a few machine instructions 
to the cost of computing E. We illustrate the use of these constructions by 
improving on the authenticated-encryption scheme OCB [15] and the message 
authentication code PMAC [4]. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 16-31, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 
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Tweakable blockciphers. Schroeppel [16] designed a blockcipher, Hasty 
Pudding, wherein the user supplies a non-secret spice and changing this spice 
produces a completely different permutation. Liskov, Rivest, and Wagner [10] 
formally defined the syntax and security measures for such a tweakable blockci- 
pher, and they suggested that this abstraction makes a desirable starting point 
to design modes of operation and prove them secure. They suggested ways to 
build a tweakable blockcipher E out of a standard blockcipher E, as well as 
ways to modify existing blockcipher designs to incorporate a tweak. They il- 
lustrated the use of these objects. Formally, a tweakable blockcipher is a map 
E: K. X T X {0, 1}” — > {0, 1}" where each E]^(-) = E{K,T, •) is a permutation 
and T is the set of tweaks. 

Our contributions. We propose efficient way^to turn a blockcipher E\ K. x 
{0,1}" ^ {0,1}" into a tweakable blockcipher E: JC x T x {0,1}" ^ {0,1}". 
(See Appendix A for the best constructions formerly known.) Our powering-up 
constructions, XE and XEX, preserve the key space and blocksize of E but 
endow E with a tweak space T = {0,1}" xl where I is a set of tuples of 
integers, like I = [1..2"/^] x [0..10]. The XE construction turns a CPA-secure 
blockcipher into a CPA-secure tweakable blockcipher, while XEX turns a CCA- 
secure blockcipher into a CCA-secure tweakable blockcipher. (CPA stands for 
chosen-plaintext attack and CCA for chosen-ciphertext attack.) The methods 
are highly efficient when tweaks arise in sequence, with most tweaks (A^, i) being 
identical to the prior tweak (A, i') except for incrementing a component of i. 

As an illustrative and useful example, consider turning a conventional blockci- 
pher E\ K.X {0, 1}" — > {0, 1}" into a tweakable blockcipher E\ /C x Tx {0, 1}" ^ 
{0, 1}" by defining E^’’^ (M) = Ek{M 0 Z\) 0 Z\ where offset A = 2*3-1 N and 
N = Ek{N). Arithmetic is done in the finite field F 2 f>. For concreteness, assume 
n = 128 and a tweak space of T = {0, 1}" x [1 .. 2®^] x [0 .. 10]. We show that E is 
secure (as a strong, tweakable PRP) as long as A is secure (as a strong, untweak- 
able PRP). Computing E^^\X) will usually cost about 1 shift, 1 conditional, 
and 3-4 xors more than computing Ex{X). 

We illustrate how the use of tweakable blockciphers during mode design, fol- 
lowed by the instantiation of the tweakable blockcipher with an ordinary block- 
cipher using one of our constructions, can give rise to modes that are simpler, 
faster, and easier to prove correct than what designing directly from a blockcipher 
has delivered. We do this by refining two already-optimized modes, OCB [15] 
and PMAC [4], yielding new modes, OCBl and PMACl, that are are easier 
to understand, easier to implement, and faster. Computing offsets in the new 
modes does not involve Gray-code sequence or counting the number of trailing 
zero bits in successive integers. OCBl eliminates the utility of preprocessing, 
saving a blockcipher call. 

Intuition. The idea behind the powering-up constructions can be explained 
like this. Apart from Gray-code reordering, PMAC authenticates an m-block 
message using a sequence of offsets L, 2L, 3L, . . . , (m — 1)L, where multiplica- 
tion is in the finite field F 2 " and L = Ek{0”‘) is a variant of the underlying 
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key K. When a special kind of offset is needed, a value huge ■ L is added (xored) 
into the current offset, where huge is so large that it could never be among 
{1,2, ... ,m — 1}. What we now do instead is to use the easier-to-compute se- 
quence of offsets 2^L,2‘^L, . . . We insist that our field be represented 

using a primitive polynomial instead of merely an irreducible one, which ensures 
that 2^, 2^, 2^, . . . , 2^ will all be distinct. When a special offset is needed we 
can no longer add to the current offset some huge constant times L and expect 
this never to land on a point in 2^L,2^L, . . . ,2™“^L. Instead, we multiply the 
current offset by 3 instead of 2. If the index of 3 (in F^n) is enormous relative 
to the base 2 then multiplying by 3 is equivalent to multiplying by 2^“®® and 
2®3L won’t be among of 2^L, 2^L, . . . , 2™“^L for any reasonable value of m. The 
current paper will make all of the ideas of this paragraph precise. 

Further related work. Halevi and Rogaway [7] used the sequence of off- 
sets 2L,2^L,2^L, . . . , in their EME mode. They give no general results about 
this construction, and EME did not use tweakable blockciphers, yet this offset 
ordering was our starting point. 



2 Preliminaries 

The field with 2” points. Let F2« denote the field with 2” points and let F^n 
be its multiplicative subgroup. We interchangeably think of a point a G F 2 « as 
an n-bit string, a formal polynomial of degree n — 1, or as an integer in [0 .. 2”— 1]. 
To represent points select a primitive polynomial, say the lexicographically first 
one among the degree n polynomials having a minimum number of nonzero 
coefficients. For n = 128 the indicated polynomial is Pi 28 (x) = -|-x^-|- 

-|- x -|- 1. Saying that Pn{'x) is primitive means that it is irreducible over F 2 
and 2 (i.e., x) generates all of F^n. It is computationally simple to multiply 
a G jo, 1}” by 2. To illustrate for n = 128, 2a = a^l if firstbit(a) = 0 and 
2a = (o^l) 0 O^^'^IO^P if firstbit(a) = 1. One can easily multiply by other small 
constants, as 3a = 2a 0 a and 5a = 2(2a) 0 a and so forth. 

Blockciphers and tweakable blockciphers. We review the standard defi- 
nitions for blockciphers and their security [2] and the extension of these notions to 
tweakable blockciphers [10]. A blockcipher is a function E: ICx (0, 1}" — > (0, 1}" 
where n > 1 is a number and /C is a finite nonempty set and E(K,-) = 
Ek{') is a permutation for all A" € /C. A tweakable blockcipher is a function 
E: /C X T X {0, 1}" — > (0, 1}" where n and 1C are as above and T is a nonempty 
set and E{K,T,-) = A^(-) is a permutation for all AT € /C and T G T. For 
blockciphers and tweakable blockciphers we call n the blocksize and JC the key 
space. For tweakable blockciphers we call T the tweak space. 

Let Perm(n) be the set of all permutations on n bits. Let Perm(T, n) be the 
set of all mappings from T to permutations on n bits. In writing tt Perm(n) we 

are choosing a random permutation 7 t(-) on {0, 1}". In writing tt Perm(T, n) 

we are choosing a random permutation 7 t(T, •) = 7Tt{-) on {0, 1}” for each T G E. 
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li E: K. X {0, 1}” — > {0, 1}” is a blockcipher then its inverse is the blockcipher 
D = E~^ where D: JCx {0, 1}" ^ {0, 1}" is defined by D{K, Y) = Dx(Y) being 
the unique point X such that Ej^{X) = Y.lfE: 1C x T x {0,1}” — > {0,1}” is 
a tweakable blockcipher then its inverse is the tweakable blockcipher D = E~^ 
where D: K. x T x {0, 1}” ^ {0, 1}” is defined by D{K,T,Y) = D]^{Y) being 
the unique point X such that E]^{X) = Y. 

An adversary is a probabilistic algorithm with access to zero or more oracles. 
Without loss of generality, adversaries never ask a query for which the answer 
is trivially known: an adversary does not repeat a query, does not ask Dk(Y) 
after receiving Y in response to a query Ex{X), and so forth. Oracles will have 
an implicit domain of valid queries and, for convenience, we assume that all 
adversarial queries lie within that domain. This is not a significant restriction 
because membership can be easily tested for all domains of interest to us. 

Definition! (Blockcipher/Tweakable-Blockcipher Security). Let A: ICx 

{0,1}” — > {0,1}” be a blockcipher and let E\ JC x T x {0,1}” ^ {0,1}” be a 
tweakable blockcipher. Let A be an adversary. Then Adv^'^^(A), Adv^^‘^(A), 
Adv~^P(A), and Adv~^’^P(A) are defined by: 

AEk( ) ^ 1 ] _ Pr[7T 4 Perm(n) : A^‘'-'> => 1] 

^Ek{ )Dk{-) ^ 1 ] _ Pr[7T ^ Perm(n) : A^^'^ ^ 1] 

j^EkC,-) ^ _ Pj.[7t Perm(T, n) : 1] 

^ 1] _Pr[7r^Perm(T,n) : ^ 1] □ 

Of course D and D denote the inverses of blockciphers E and E. In writing 
A => 1 we are referring to the event that the adversary A outputs the bit 1 . 

In the usual way we lift advantage measures that depend on an adver- 
sary to advantage measures that depend on named resources: Adv}^^(7?.) = 
maxyi{Adv™(A)} over all adversaries A that use resources at most TZ. The 
resources of interest to us are the total number of oracle queries q and the total 
length of those queries a and the running time t. For convenience, the total length 
of queries will be measured in n-bit blocks, for some understood value of n, so a 
query X contributes |A|„ to the total, where |A|„ means max{|A|/n, 1}. Run- 
ning time, by convention, includes the description size of the algorithm relative 
to some standard encoding. When we speak of authenticity, the block length of 
the adversary’s output is included in a. 



^ <— /V 

Pr[A 1C 
Pr[K ^ 1C 
Vr\K ^ 1C 



3 The XE and XEX Constructions 

Goals. We want to support tweak sets that look like T = {0, 1}” x I where I 
is a set of tuples of integers. In particular, we want to be able to make I the 
cross product of a large subrange of integers, like [1 ..2"/^], by the cross prod- 
uct of small ranges of integers, like [0..10] x [0..10]. Thus an example tweak 
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space is T = {0,1}” x x [0..10] x [0..10]. Tweaks arise in some se- 

quence Ti, T 2 , . . . and we will obtain impressive efficiency only to the extent that 
most tweaks are an increment of the immediately prior one. When we say that 
tweak T = (TV, ii, . . . ,ik) is an increment of another tweak we mean that one 
of ii,. . . ,ik got incremented and everything else stayed the same. The second 
component of tweak (TV, ii, . . . , meaning ii, is the component that we ex- 
pect to get incremented most often. We want there to be a simple, constant-time 
procedure to increment a tweak at any given component of I. To increment a 
tweak it shouldn’t be necessary to go to memory, consult a table, or examine 
which number tweak this in in sequence. Incrementing tweaks should be endian- 
independent and avoid extended-precision arithmetic. Efficiently incrementing 
tweaks shouldn’t require precomputation. Tweaks that are not the increment 
of a prior tweak will also arise, and they will typically look like {N, 1, 0 . . . , 0). 
Constructions should be reasonably efficient in dealing with such tweaks. 

We emphasize that the efficiency measure we are focusing on is not the cost 
of computing E]^(X) from scratch — by that measure our constructions will not 
be particularly good. Instead, we are interested in the cost of computing E]^{X) 
given that one has just computed Ef^{X') and T is obtained by increment- 
ing S at some component. Most often that component will have been the second 
component of S. It is a thesis underlying our work, supported by the design of 
OCBI and PMACl, that one will often be able to arrange that most tweaks are 
an increment to the prior one. 

Tweaking with A = 2® N. Recall that we have chosen to represent points 
in F 2 n using a primitive polynomial, not just an irreducible one. This means 
that the point 2 is a generator of F 2 «: the points 1, 2, 2^, 2^, . . . , 2^ are all 
distinct. This property turns out to be the crucial one that lets us construct 
from a blockcipher E: 1C x {0,1}” — > {0,1}” a tweakable blockcipher E: K. x 
({0, 1}” X [1 ..2- - 2]) X {0, 1}” ^ {0, 1}” by way of 

E^\M) = Ek{M 0 Z\) 0 Z\ where zi = 2* N and N = Ek{N). 

The tweak set is T = {0, 1}” x I where I = [1 .. 2” — 2] and the tweakable 
blockcipher just described is denoted E = XEX[E, 2'^] . When computing the 
sequence of values E^^{Mi), . . . ,E^'^~^{Mm-i) each E^^(Mi) computation 
but the first uses one blockcipher call and one doubling operation. Doubling 
takes a shift followed by a conditional xor. We call the construction above, and 
all the subsequent constructions of this section, powering-up constructions. 

Tweaking by Z\ = 2*3-^ N. To facilitate mode design we may want tweaks that 
look like (N,i,j) where N G {0,1}” and i is an integer from a large set I, like 
I = [1 .. 2"/^], and j is an integer from some small set J, like J = {0, 1}. To get the 
“diversity” associated to the various j-values we just multiply by 3 instead of 2. 
That is, we construct from a blockcipher E: JC x {0, 1}” — > {0, 1}” a tweakable 
blockcipher E: 1C x ({0, 1}” x I x J) x {0, 1}” — > {0, 1}” by way of 

E^^\M) = Ek(M ® A)® A where Z\ = 2*3^ N and N = Ek(N). 
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The tweakable blockcipher just described is denoted E = XEX[iJ, In- 
crementing the tweak at component i is done by doubling, while incrementing 
the tweak at component j is done by tripling. 

The XEX construction. Generalizing the two examples above, we have the 
following definition. 

Definition 2 (XEX). Let E: K. x {0,1}" ^ {0,1}" be a blockcipher, let 
tti, . . . , Ofc € , and let Ii, . . . , Ifc C Z. Then E = XEX[E, is the 

tweakable blockcipher E: ICx ({0, 1}" x Ii x • • • x Ifc) x {0, 1}" — > {0, 1}" dehned 
byE^"^ -’->‘{M) = Ek{M®A)®A where A = • • • «}'= N and N = Ek{N). 

The XE construction. As made cjear in the work of Liskov, Rivest, and 
Wagner [10], constructions of the form E]^{M) = Ek{M(BA)(BA aim for chosen- 
ciphertext attack (CCA) security, while for chosen-plaintext attack (CPA) secu- 
rity one can omit the outer xor. Thus we consider the construction Ex{M 0 Z\). 
This is slightly more efficient than XEX, saving one xor. 

Definition 3 (XE). Let E: /Cx{0, 1}" — > {0, 1}" be a blockcipher, a \, . . . , Ofc G 
F^n, and Ii, . . . , C Z. Then E = XE[£', • • • aj}] is the tweakable blockcipher 

E: ICx ({0, 1}" X Ii X • • • X Ifc) X {0, 1}" ^ {0, 1}" defined by (M) = 

Eji{M 0 A) where A = N and N = Ej^{N). □ 

4 Parameter Sets Yielding Unique Representations 

It is easy to see that the XE and XEX constructions can only “work” if • • • a}'" 
are distinct throughout {ii, . . . ,ik) € Ii x • • • x 1^. This motivates the following 
definition. 

Definition 4 (Unique Representations). Fix a group G. A choice of pa- 
rameters is a list Oi, . . . , Ofe G G of bases and a set Ii x ••• x C Z^ of 
allowed indices. We say that the choice of parameters provides unique rep- 
resentations if for every {ii, . . . , A-), {ji, . . . ,jk) G Ii x • • • x Ifc we have that 
implies {ii, ...,ik) = (ji, . . . , jfc). □ 

In other words, representable points are uniquely representable: any group 
element that can be represented using allowed indices can be repre- 

sented in only one way (using allowed indices). 

For tweak spaces of practical interest, discrete-log calculations within F^n 
can be used to help choose and verify that a given choice of parameters provides 
unique representations. The following result gives examples for F 2 i 2 s- 

Proposition 1. [Can Use 2, 3, 7 When n — 128] In the group F 2128 the 
following choices for parameters provide unique representations: 

(1) oi =2 and Ii = [-2126.. 2126], 

(2) 01,02 = 2,3 and Ii x I 2 = ..2^^^] x [-2^° ..2^°]. 

(3) 01 , 02,03 = 2,3,7 and Ii xlj XI 3 = [-2i°8 .. 2i°8] x [-2^ ..2'^] x [-2U.21']. 
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Proof. For statement (1) recall that 2 is a generator of the group (by our choice 
of irreducible polynomial) and the order of the group F*i28 is 2^^® — 1 and so 
2® = 2-1 iS i = j (mod 2^^® — 1) and so any contiguous range of 2^^® — 1 or fewer 
integers will provide unique representations with respect to base 2. 

To prove statement (2) we need to compute log2 3 in the group F2128: 

log2 3 = 338793687469689340204974836150077311399 (decimal) 

This and subsequent discrete logs were computed using a Maple-implementation 
combining the Pohlig-Hellman [11] and Foliar d-r ho [12] algorithms. (A naive im- 
plementation computes discrete logs in F^i28 in a few hours.) Now note that 2“3** = 
2“3^' iff 2“2'’'°S2 3 = 2“'2*’''°82 3 jff 2“+f>i°S2 3 = 2“'+^' ® iff a -h 61og2 3 = 
a' + 6'log2 3 (mod 2^^® — 1) because 2 is a generator of the group F*i28. Thus 
2“3*’ = 2“3'’' iff a - a' = (6' - 6) log2 3 (mod 2^28 _ ;^). if 5^ fo' g [-2^° 
then Ai, = b' — b G [—2^^ .. 2^^] and computer-assisted calculation then shows that 
the smallest value of Z\blog2 3 (mod 2^^® — 1) for Z\f, G [—2^^. .2^^] and Ah ^ 0 
is 16001og2 3 = 00113a0ce508326c006763c0b80c59f9 (in hexadecimal) which is 
about 2^^®-^. (By “smallest” we refer to the distance from 0, modulo 2^^® — 1, so 2^®° 
and (2^^® — 1) — 2^™ are equally small, for example.) Thus if a, a' are restricted to 
[_2ii5 2^^®] and 6, b' are restricted to [—2®° .. 2®°] then Aa = a — a' < 2®^® can 

never equal Ah log2 3 (mod 2^^® — 1) > 2^^® unless Z\f, = 0. This means that the 
only solution to 2“3® = 2“ 3® within the specified range is a = a' and b = b' . 

To prove statement (3) is similar. First we need the value 

log2 7 = 305046802472688182329780655685899195396 (decimal) 

Now2“3®7^ = 2“'3®'7‘=' iffa-a' = (6'-5) log2 3-h(c'-c) log2 7 (mod 2i28-l). 
The smallest value for Z\;,log2 3 -I- Z\clog2 7 (mod 2®^® — 1) when Ah,Ac G 
[—2® .. 2®] and at least one of these is non-zero is —48 log2 3-1-31 log2 7 (mod 2^^®— 
1) = 00003bfabac91e02b278b7e69a379dl8 (hexadecimal) which is about 2^®® ®. 
So restricting the index for base-2 to [—2^®® ..2^®®] ensures that a — a' < 2^®® 
while (6' — b) log2 3 -I- (c' — c) log2 7 > 2^®® unless 6 = 6' and c = c' and a = a' . □ 

We emphasize that not just any list of bases will work. Notice, for example, 
that 3® = 5 in F^n so the list of bases 2, 3, 5 does not give unique representations, 
even for a tiny list of allowed indices like Ii x I2 x I3 = {0, 1, 2}®. 

Similar calculations can be done in other groups; here we state the analogous 
result for F*e4 . 

Proposition 2. [Can Use 2, 3, 11 When n — 64] In the group F*64 the 
following choices for parameters provide unique representations: 

(1) Oi =2 and [-2®®.. 2®®]. 

(2) 01,02 = 2,3 and [-2®U.2®i] x [-2^° ..2^^]. 

(3) 01,02,03 = 2,3,11 and [-2'^'‘.. 2-^4] X [_2r 27] ^ [_27_ 27]^ □ 

This time 2, 3, 7 does not work as a list of bases, even with a small set of 
allowed indices like [1 .. 64] x {0, 1, 2} x {0, 1, 2}, due to the fact that 2®^ = 3® • 7 
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in this group. Machine-assisted verification seems essential here; a relation like 
that just given is found immediately when computing the possible values for 
Z\f,log 2 3 -I- Aclog 2 7 (mod 2®^ — 1) but it might not otherwise be anticipated. 

5 Security of XE 

The following result quantifies the security of the XE construction. 

Theorem 1. [Security of XE] Fix n > 1 and let oi, . . . ,ak G be base 
elements and let li x • • • x be allowed indices such that these parameters 
provide unique representations. Fix a blockcipher E: K, x {0, 1}" ^ {0, 1}" and 
let E = XE[E,a^^ ■ ■ ■ a]^]. Then Ad\-^^{t,q) < {T , 2q) + where 

t' = t + ckn{q + 1) for some absolute constant c. □ 

In English, the XE construction promotes a CPA-secure blockcipher to a 
CPA-secure tweakable blockcipher, assuming that the chosen base elements and 
range of allowed indices provide unique representations. The proof is in [14]. 



6 Security of XEX 

Some added care is needed to address the security of XEX. Suppose, to be 
concrete, that we are looking at XEX[E,2''] and I = [0..2"“^]. Let the ad- 
versary ask a deciphering query with ciphertext C = 0” and tweak (0",0). 
If the adversary has a construction-based deciphering oracle then it will get a 
response of M = = Dk{A) © A = DkW © N = 0” © N = N, 

where N = Ek{0^) = A. This allows the adversary to defeat the CCA-security. 
For example, enciphering 2M = 2N with a tweak of (0", 1) and enciphering 
4M = 4N with a tweak of (0",2) will give identical results (if the adversary has 
the construction-based enciphering oracle). Corresponding to this attack we ex- 
clude any tweak {N, ii, . . . ,ik) for which (ii, . . . , i]f) is a representative of 1 — that 
is, any tweak (NAi, - ■ ■ ,ik) for which off . . . = 1. In particular, this condi- 

tion excludes any tweak (X, 0, . . . , 0). The proof of the following is omitted, as 
Theorem 3 will be more general. 

Theorem 2 (Security of XEX). Fix n > 1 and let ai, ... ,ak € FJn be base 
elements and Zet Ii x • • • xlfc be allowed indices such that these parameters provide 
unique representations. Assume ^ 1 for aZZ (ii, . . . , zj.) G Ii x • • • x 1^. 

Fix a blockcipher E: K. x {0,1}" — > {0,1}" and let E = XEX[E, • • • aj}]. 

Then 9 ) < 2g) + where t' = t + ckn{q + 1) for 

some absolute constant c. □ 

7 An Almost-Free Alternative to Key Separation 

When combining two blockcipher-based cryptographic mechanisms into a com- 
posite mechanism, it is, in general, essential to use two different keys. Either 
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these two keys together comprise the key for the joint mechanism, or else each 
key is obtained from an underlying one by a key-derivation technique. The first 
possibility increases the key length in the composite mechanism while the second 
involves extra computation at key setup. Both possibilities incur the inefficiency 
of blockcipher re-keying when the combined mode runs. For all of these reasons, 
some new “composite” modes of operation have gone to considerable trouble in 
order to make do (for their particular context) with a single blockcipher key. Ex- 
amples include EAX, CCM, and OCB [3, 13, 17]. Using a single key complicates 
proofs — when the mechanism works at all — because one can no longer reason 
about generically combining lower-level mechanisms. 

Tweakable blockciphers open up a different possibility: the same underlying 
key is used across the different mechanisms that are being combined, but one 
arranges that the tweaks are disjoint across different mechanisms. In this way 
one retains the modularity of design and analysis associated to using separate 
keys — one reasons in terms of generic composition — yet one can instantiate in 
a way that avoids having extra key material or doing extra key setups. Because 
the tweak space for XE and XEX is a Cartesian product of ranges of integers, 
it is easy, for these constructions, to separate the different tweaks. 



8 Combining XE and XEX 

Some blockcipher-based constructions need CCA-security in some places and 
CPA-security in other places. One could assume CCA-security throughout, later 
instantiating all blockcipher calls with a CCA-secure construction, but it might 
be better to use a CPA-secure construction where sufficient and a CCA-secure 
one where necessary. Regardless of subsequent instantiation, it is good to be able 
to talk, formally, about where in a construction one needs what assumption. 

To formalize where in a construction one is demanding what, we tag each 
blockcipher call with an extra bit. We say that a tweakable blockcipher E: K. x 
T X {0, 1}" ^ {0, 1}” is tagged if T = {0, 1} x T* for some nonempty set T* . 
Think of T*, the effective tweak space, as the tweak space actually used by the 
mode. The extra bit indicates what is demanded for each tweak. A first bit of 0 
indicates a demand of CPA security, and 1 indicates a demand for CCA security. 
For a given T G T one should be asking for one or the other. 

An adversary A launching an attack on a tagged blockcipher is given two 
oracles, e(-,-) and where the second oracle computes the inverse of the 

first (meaning d{T,Y) is the unique X such that e{T,X) = Y). The adversary 
must respect the semantics of the tags, meaning that the adversary may not 
make any query d(T, Y) where the first component of T is 0, and if the adversary 
makes an oracle query with a tweak (h, T*) then it may make no subsequent 
query with a tweak (1 — 6, T*). As always, we insist that there be no pointless 
queries: an adversary may not repeat an e{T,X) query or a d{T,Y) query, and 
it may not ask d{T,Y) after having learned Y = e{T,X), nor ask e{T,X) after 
having learned X = d{T,Y). The definition for security is now as follows. 
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Definition 5 (Security of a Tagged, Tweakable Blockcipher). Let E: ICx 

T X {0, 1}" ^ {0, 1}" be a tagged, tweakable blockcipher and let A be an 
adversary. Then is defined as Vr[K ^ JC : =i>l] — 

Pr[7T e?- Perm(T, n) : x] □ 

Naturally D, above, is the inverse of E. Security in the j5fp-sense and security 
in the ±j5ip-sense are special cases of security in the [±]pfp sense (but for the 
enlarged tweak space). 

If we combine XE and XEX using our tagging convention we get the tagged, 
tweakable blockcipher XEX*. 

Definition 6 (XEX*). Let E: 1C x {0,1}" — > {0,1}" be a blockcipher, let 
ai, ... ,Ok € F^n, and let Ii, . . . ,Ifc C Z. Then E = XEX*[E, o^^ ■ ■ ■ a]C] is the 
tweakable blockcipher E: X x ({0, 1} x {0, 1}" x Ii • • • x 1^) x {0, 1}" ^ {0, 1}" 
defined by E%^ {M) = Ek\m®A) and E]^^*^-"'=(M) = Ek{M®A)®A 

where A = cTlot^ ■ • • a}} N and N = Ek{N). □ 

9 Security of the Combined Construction 

We now specify the security of the XEX* construction. The result encompasses 
that XE is pfp-secure and XEX is ±pfp-secure. The proof is in [14]. 

Theorem 3 (Security of XEX*). Fix n > 1 and let a±, . . . , ak S F^n be base 
elements and let Ii x • • • xlfc be allowed indices such that these parameters provide 
unique representations and such that ■ ■ ■ a]C yf 1 for all {i\, . . . ,ik) € Ii x • • • x 
Ifc. Fix a blockcipher E: Xx {0, 1}" — *■ {0, 1}" and let E = XEX* [E, ■ ■ ■ ojf ]. 

Then Adv^^^*^^(t, g) < Adv^'"^^(t', 2g) + ^ where t' = t + ckn{q + 1) for 
some absolute constant c. □ 



10 The OCBl Authenticated-Encryption Scheme 

We recast OCB [15] to use a tweakable blockcipher instead of a conventional 
blockcipher. Liskov, Rivest, and Wagner first did this [10], but our formulation 
is different from theirs. First, guided by what we have done so far, we choose 
a tweak space of T = {0, 1} x {0, 1}” x [1 .. 2”/^] x {0, 1}. The first bit of the 
tweak is the tag; the effective tweak space is T* = {0, 1}" x [1 .. 2"/^] x {0, 1}. 
Second, we want tweaks to increase monotonically, and so we switch the “special” 
processing done in OCB from the penultimate block to the final block. The 
resulting algorithm is shown in Fig. 1. Algorithm OCBl is parameterized by a 
tweakable blockcipher E: K x T x {0, 1}" — > {0, 1}" and a number r S [0 .. n]. 
For clarity, we write rrf for and for and for 

The security of OCBl[Perm(T, n)] is much simpler to prove than the secu- 
rity of OCB[Perm(n)]. (Liskov, Rivest, and Wagner [10] had made the same 
point for their tweakable-blockcipher variant of OCB.) To state the result we 
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Algorithm OCBl. Encrypt^ (M) 

Partition M into M[l] • • • M[m] 

for i € [1 .. m — 1] do C[i] <— nf {M[i]) 

Pad <— 7T^(len(M[m])) 

C[m] <— M[m] 0 Pad 
C ^ C[l] ■ • • C[m] 

E ^ M[l] © ■ • ■ © M[m - 1]© 

C[m]0* © Pad 
Tag^nZiE) 

T ^ Tag [first r bits] 
return C <— C || T 



Algorithm OCBl. Decrypt^ (C) 

Partition 6 into C[l] ■ ■ ■ C[m] T 

for i £ [1 .. m — 1] do M\i\ <— (Trf^) ^ (C[i]) 

Pad^7T^(len(C'[m])) 

M[m] <— C[m] © Pad 
M ^ M[l] ■ ■ ■ M[m] 

E ^ M\l] © • ■ • © M[m - 1] © C[m]0* © Pad 
Tag^TvZiE) 

T' ^ Tag [first r bits] 

if T = T' then return M 

else return Invalid 



Fig. 1. OCBl[E, r] with a tweakable blockcipher E: 1C x T x {0, 1}" — > {0, 1}" and 
tweak space T = {0, 1} x {0, 1}" x [1 .. 2"'/^] x {0, 1} and tag length r £ [0 .. n]. We 
write and 7rf^ and Ti^ for ° and E%^ * ° and E%;^ * ^ 



give a couple of definitions from [15]. For privacy of a nonce-based encryption 
scheme U = (1C,£,'D) we use the notion of indistinguishability-from-random- 
strings, which defines Adv^'^(A) as Pr[K ^ JC : => 1] — Pr[A®*^'’'^ =i> 1]. 

Here $(•, •) is an oracle that, on input (TV, Tkf), returns |TH| random bits. The ad- 
versary is not allowed to repeat a nonce TV. For authenticity we use the nonce- 
based notion of integrity of ciphertexts: the adversary is given an encryption 
oracle £k{-,-) and is said to forge if it outputs an (TV, 6) that is valid and 6 
was not the result of any prior (TV, M) query. The adversary is not allowed to 
repeat a nonce TV while it queries its encryption oracle. We write Adv“*^(A) for 
Pr[TV ^ K. : forges ]. We have the following theorem for the information- 

theoretic security of OCBl. The proof is in [14]. 

Theorem 4 (OCBl with an Ideal Tweakable Blockcipher). Fix n > 1, 

T £ [0..n], and T = {0,1} x {0,1}” x [1..2"/^] x {0,1}. Let A he an adver- 
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Algorithm OCBl. Encrypt^ (M) 
Partition M into M[l] • • • M[m] 

A ^ 2Ek{N) 

r ^ 0" 

for i £ [1 .. m — 1] do 

C\i] ^ Ek{M[{\®A) © A 
A ^ 2A 
E ^ E® M[i] 

Pad -i— Eic(len(M[m]) © A) 

C[m] <— M[m] © Pad 
C ^ C{1] ■ ■ • C[m] 

E ^ E® C[m]0* © Pad 
A ^ 3A 

Tag ^ Ek{E ® A) 

T ^ Tag [first r bits] 
return S <— C \\T 



Algorithm OCBf. Decrypt^ (C) 
Partition C into C[T\ ■ ■ ■ C[rn\ T 
A^2Ek{N) 

0" 

for i £ [1 .. m — f] do 

M[{\^ E~\C[i\®A) © A 
A ^ 2A 
E^ E® M\i] 

Pad ^ -Bx(len(C[m]) © A) 

M[m] ^ C[m] © Pad 
M ^ M[l] ■ ■ ■ M[m] 

E ^ E ® C[m]0* © Pad 
A^3A 

Tag ^ Ek{E ® A) 

T' <— Tag [first r bits] 

if T = T' then return M 

else return Invalid 



Fig. 2. OCBl]_E,r[ with a conventional blockcipher E\ Af x {0, 1}" ^ {0, 1}"^ 
and a tag length r £ [0..n[. This coincides with OCBl[E,r] where E = 

XEX[E, 2[i--2"''">3^°’1>] 



sary. Then — 0 and (A) < 2” j 

(2"-l). ’ ’ □ 

Note that the authenticity bound is close to 2“"^; in particular, 2"'“’'/(2” — 
1) < 1/(2’" ~ 1) for all r > 2. The bounds do not degrade with the number 
of queries asked by the adversary, the length of these queries, or the time the 
adversary runs. For the complexity-theoretic analog we have the following. 

Corollary 1 (OCBl with a Tweakable Blockcipher). Fix n > 1, r e 

[0..n], r= {0,1} X {0,1}” x[l. .2^/2] X {0,1}, andE\ /CxTx{0,l}" ^ {0,1}” 
a tagged, tweakable blockcipher. Then ^ Adv~^^(F,cr) and 

Adv^'Jlip^j- < Adv^'P’'P(t',cr) + 2”—^/(2” - 1), where t' = t + cna for 

some absolute constant c. □ 

The proof requires CPA-security for privacy but authenticity uses the notion 
that combines CPA- and CCA-security (Definition 5). It is here that one has 
formalized the intuition that the first m — 1 tweakable-blockcipher calls to OCBl 
need to be CCA-secure but the last two calls need only be CPA-secure. 

To realize OCBl with a conventional blockcipher E\ K, x {0, 1}” ^ {0, 1}”, 
use XEX*, instantiating OCBl [if, r] by way of if = XEX*[if, 2'' 3''^] where I = 
[ 1 .. 2 ”/ 2 ] and J = {0,1}. Overloading the notation, we write this scheme as 
OCBl[if,r]. The method is rewritten in Fig. 2. 
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Corollary 2 (OCBl with a Blockcipher). Fixn > 1 and t G [0 .. n]. Assume 
that 2, 3 provide unique representations on [1 .. 2"'^^] x {0, 1} and 2*3-^ ^ 1 for all 
(i,j) € [1..2"'/^] X {0,1}. Let E: K, x {0,1}" — > {0,1}" be a blockcipher. Then 

- < AdvP}P(t',2cr) + and 

0 ^rr"^ (yn—T 

- Advo"cBi[£;,r](^)<^) < AdVgP''P(t', 2(t) H — 2 ^ — \ 

where t' = t + cna for some absolute constant c. □ 

Propositions 1 and 2 establish that n = 128 and n = 64 satisfy the require- 
ment for unique representations. They also guarantee that there is no represen- 
tative of 1 within [1 .. 2”^^^] x {0, 1}. To see this, note that the propositions imply 
that (0, 0) is the only representative for 1 within a space Ii x I 2 that includes 
[1 .. X {0, 1}, and so there can be no representative of 1 within a subspace 
of Ii X I 2 that excludes (0,0). 

Blockcipher-based OCBl is more efficient than OCB. With OCB one expects 
to use preprocessing to compute a value L = i?iy(0") and a collection of 2®L- 
values. This is gone in OCBl; preprocessing is not useful there beyond setting up 
the underlying blockcipher key. Beyond this, with OCB processing the j**' block 
involved xoring into the current offset a value L(i) = 2*L where i = ntz(j) was 
the number of trailing zero-bits in the index j. In the absence of preprocessing, 
offset-calculations were not constant time. This too is gone. 

The previous paragraph notwithstanding, the time difference or chip-area 
difference between optimized implementations of OCB and OCBl will be small, 
since the overhead of OCB over a mode like CBC was already small. The 
larger gain is that the mode is simpler to understand, implement, and prove 
correct. 



11 The PMACl Message Authentication Code 

As with OCB, one can recast PMAC [4] to use a tweakable blockcipher and, 
having done so, one can instantiate the tweakable blockcipher, this time with 
the XE construction. The resulting algorithm, PMACl, is simpler and more 
efficient than PMAC. In the latter construction one had to xor into the cur- 
rent offset a value L{i) = 2*L where i was the number of trailing zero-bits 
in the current block index j. This is gone in PMACl, and an implementation 
no longer needs to concern itself with Gray codes, precomputing L(i)-values, 
or finding the most efficient way to bring in the right L(i) value. Details are 
in [14]. 

To make an authenticated encryption scheme that handles associated-data, 
combine OCBl and PMACl [131. Encrypt message M under key K, nonce N , 
and header H by OCBl.Encrypt^(M) 0PMACli<- (il) where the 0 xors into the 
end. Omit the 0 PMACliy(il) li H = e. We call this scheme AEM. 
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12 Comments 

Under the approach suggested by this paper, to get good efficiency for a design 
that uses a tweakable-blockcipher, the designer must accept certain design rules. 
In particular, the tweak space needs to look like {0,1}” x BIG x SMALL for 
appropriate sets BIG and SMALL, and one needs to arrange that most tweaks 
be obtained by incrementing the prior one. It is a thesis implicit in this work 
that these restrictions are not overly severe. 

Besides simplifying the design and proof for OCB and PMAC, we have im- 
proved their efficiency. The improvement are not large (the modes were already 
highly efficient), but performance improvements, of any size, was not a benefit 
formerly envisaged as flowing from the tweakable-blockcipher abstraction. 

Somewhat strangely, our constructions depend on the relative easiness of 
computing discrete logarithms. I know of no other example where one needs to 
compute discrete logs in order to design or verify a mode of operation. 

I end this paper by acknowledging that everyone writes block cipher, not 
blockcipher. Still, the time has come to spell this word solid. I invite you to join 
me. 
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A Tweakable Blockciphers Implicit in Prior Work 

When tweaks increase in sequence, the most efficient constructions formerly 
known for a tweakable blockcipher are those implicit in earlier modes [4, 5, 9, 15], 
recast in view of Liskov, Rivest, and Wagner [10]. In particular: 

— Jutla [9] might be seen as suggesting a construction (among others) of 

E: (/C X JC') X ({0,1}” X Z+) x {0,1}" ^ {0,1}" by way oi = 

Ek{X 0 Z\) 0 Z\ where A = ii mod p and f = Ek> (N) and p is the largest 
prime less than 2". 

— Gligor and Donescu [5] might be seen as suggesting constructions like 

E: (/C X {0, 1}") X [1 ..2" - 1] ^ {0, 1}" by = Ek{X + <5) where 

6 = ir and addition is done modulo 2”. 
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Rogaway, Bellare, and Black [15] might be seen as implicitly suggesting 
making a tweakable blockcipher E: IC x ({0, 1}" x [0 .. 2"“^]) x {0, 1}" — > 
{0, 1}" from an ordinary blockcipher E\ K. x {0, 1}” — > {0, 1}" by way of 
E^"^{X) = Ek{X 0 zi) 0 where A = jiL 0 R and L = Ex(0^) and 
R = Ek{N 0 L) and 7 ^ is the i-th Gray-code coefficient. 

Black and Rogaway [4] might be seen as making E: X x [0..2"“^j x 
{0, 1}” ^ {0, 1}" out oiE: Xx {0, 1}" ^ {0, 1}” by (X) = Ek{X®A) 
where A = and L = Ek{0^) and 7 ^ is as before. 

The last two definitions ignore the “special” treatment afforded to blocks 
modified by xoring in 2~^L. The implicit intent [4, 15] was to use this 
mechanism to enlarge the tweak space by one bit, effectively taking the 
cross product with { 0 , 1 }. 
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Abstract. Even and Mansour [EM97] proposed a block cipher construc- 
tion that takes a publicly computable random permutation oracle P and 
XORs different keys prior to and after applying P: C = /c 2 © P{M © fci). 
They did not, however, describe how one could instantiate such a per- 
mutation securely. It is a fundamental open problem whether their con- 
struction could be proved secure outside the random permutation ora- 
cle model. We resolve this question in the affirmative by showing that 
the construction can be proved secure in the random function oracle 
model. In particular, we show that the random permutation oracle in 
their scheme can be replaced by a construction that utilizes a four-round 
Feistel network (where each round function is a random function oracle 
publicly computable by all parties including the adversary). Further, we 
prove that the resulting cipher is super pseudorandom - the adversary’s 
distinguishing advantage is at most 2g^/2” if he makes q total queries to 
the cipher, its inverse, as well as any random oracles. Even and Mansour, 
on the other hand, only showed security against inversion and forgery. 
One noteworthy aspect of this result is that the cipher remains secure 
even though the adversary is permitted separate oracle access to all of 
the round functions. One can achieve a two-fold and four-fold reduction 
respectively in the amount of key material by a closer inspection of the 
proof and by instantiating the scheme using group operations other than 
exclusive-OR. On the negative side, a straightforward adaption of an ad- 
vanced slide attack recovers the 4n-bit key with approximately \/2 • 2” 
work using roughly \/2 • 2" known plaintexts. Finally, if only three Feis- 
tel rounds are used, the resulting cipher is pseudorandom, but not super 
pseudorandom. 



1 Introduction 

The Even-Mansour Construction. Even and Mansour [EM97] proposed a 
block cipher construction based on XORing secret key material just prior to 
and just after applying a random permutation oracle P: C = k 2 (B P{M © fci), 
where M is the plaintext, C is the ciphertext, and k\,k 2 is the key material. 
The permutation P (as well as its inverse P~^) is computable by all parties, 
including the adversary (see fig. 1). Even-Mansour proved that a polynomial- 
time adversary with black-box query access to the cipher and its inverse, as well 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 32-47, 2004. 
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as black-box query access to the internal permutation and its inverse cannot 
invert an un-queried ciphertext of his choice, except with negligible probability. 
They also proved an analogous result about computing the cipher’s forward 
direction. 

While there are practical limitations to their construction [Dae91, BWOO], the 
Even-Mansour work is well known and theoretically interesting. In particular, 
it is an example of a cipher for which an adversary has black-box access to the 
only real “cryptographic” component; i.e., the random permutation oracle. The 
only secrets are simply XORed at the beginning and the end, and everything 
else is publicly accessible. 

Fundamental Open Problems. The Even-Mansour work may be described 
within the framework of the random-oracle model [BR93] in which their cipher 
makes use of a random permutation oracle. Naturally, the need for such a permu- 
tation oracle is unpleasant, especially since Even and Mansour did not indicate 
how one might instantiate such a random permutation oracle while maintaining 
security. This motivates the following problem: 

Open Problem 1: How can one go about instantiating the random permutation 
oracle in the Even-Mansour scheme? 

Furthermore, Even and Mansour only proved security against inversions and 
forgeries. However, for block ciphers, the current bar is to prove super pseudoran- 
domess [LR88] . That is, the cipher should be indistinguishable from a randomly 
chosen permutation on the same message space even if the adversary is granted 
black-box access to the forward and inverse directions of the cipher^. This mo- 
tivates a second problem: 

Open Problem 2: Can one prove that an Even-Mansour type construction 
yields a super pseudorandom permutation? 

Our Contributions. We address the first question by demonstrating that 
the random permutation oracle can be replaced by a construction involving 
random function oracles; i.e., the underlying oracle (which must be accessible to 
all parties) does not have to be bijective, but we construct a permutation using 
it that is bijective. By supplanting the use of random permutation oracles by 
random function oracles, we have a result based on a less restrictive model. Our 
construction uses a Feistel ladder in which the random function oracle is used 
as a round function (see fig. 1). However, what is different in this setting is that 
the adversary not only has access to the forward and reverse directions of the 
cipher, but also to each of the individual round functions. 

We address the second problem by proving that the construction is super 
pseudorandom. We remark the one can construe the Kilian-Rogaway analysis 



^ Their is also a notion of pseudorandomness for block ciphers wherein the adversary 
must distinguish it from a random permutation given black-box access to only the 
forward direction of the cipher. 
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Fig. 1. The diagram on the left depicts the Even-Mansour scheme where P is a 
random permutation oracle; i.e., the adversary has black-box access to P and P~^ . 
The diagram on the right depicts our scheme in which the permutation oracle is 
instantiated by a Feistel network consisting of publicly-accessible random function 
oracles /, g 

of DESX [KR96] as a proof that Even-Mansour is pseudorandom. Recall that 
in DESX, the Even-Mansour random permutation is supplanted with a keyed 
block cipher, such as DES. The Kilian-Rogaway proof allowed the adversary 
oracle access to the internal permutation P (modeled as an ideal block cipher) 
as well as P~^, to simulate that an adversary had correctly guessed the key - 
this maneuver isolates the benefits of the pre- and post- whitening keys. However, 
in their published proof the adversary was not given access to the inverse of the 
block cipher - so super pseudorandomness was not proved^ . 

In addition, Ramzan-Reyzin [RROO] noted that one could use their round se- 
curity framework to prove that Even-Mansour is super pseudorandom, but their 
focus was different, so no proof was supplied. Also their comment was limited to 
the original Even-Mansour construction (which used the random permutation 
oracle). Therefore, we consider addressing the first fundamental open problem 
as our main technical contribution; a side benefit of our work is a proof of super- 
pseudorandomness for Even-Mansour style block ciphers. 

Our results help us better understand block cipher design. First, they point 
to the benefit of pre- and post- whitening. In particular, our construction shows 
that, in the random function oracle model, one can construct a super pseudo- 
random block cipher in which the all key material is only incorporated during 
the pre- and post-whitening phases and in a very simple way. This is despite 
the fact that the adversary has access to the internals of the cipher. Second, our 
constructions show that it may be possible to obtain a middle ground between 



^ Kilian and Rogaway mentioned that one could extend their proof to address chosen 
ciphertext queries, however, they did not provide the proof, nor did they state a 
formal security theorem where such access is given. 
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pure black-box analysis and one in which an adversary has some meaningful 
knowledge about the internal design of the black box. This can be thought of 
as a “gray-box” analysis. We also remark that the random permutation oracle 
model seems less appealing than the random function oracle model. Instantiat- 
ing a random function oracle while maintaining security seems more plausible 
since such functions could be made sufficiently complex that their behavior is 
ill understood. On the other hand, when instantiating a random permutation 
oracle with an actual permutation, one is limited in the complexity of the de- 
sign since the function must remain bijective and efficient to invert. Our results 
give hope that one may be able to base future cryptosystems on random permu- 
tation oracles and replace them with constructions based on random function 
oracles in a provably secure way. Finally, our work helps bridge the gap between 
the theory and practice of Feistel ciphers. In particular, the theoretical work 
on Feistel ciphers (e.g., [LR88]) considers round functions that are strong (e.g., 
pseudorandom) and potentially complex keying mechanisms (e.g., the functions 
themselves are keyed). This departs from practice in two ways. First, round func- 
tions in practice are weak. Second, block cipher round keys are introduced in 
some simple way, for example by XORing them prior to applying an un-keyed 
function (c.f., DES [FIPS46]). Our work sits somewhere in between since it con- 
siders complex round functions (random oracles), but simple keying procedures 
(XORing). Therefore, we can view our work as providing better mathematical 
insight into the security of DES-like ciphers. 

Other Results. Our proof of security holds even if the amount of key material 
is reduced twofold. Also, if we permit group operations other than XOR, we can 
recycle keying material, yielding a fourfold reduction; interestingly, if XOR is 
used with recycled keying material, the cipher behaves like an involution and 
is trivially distinguishable from a random permutation. This idea of consider- 
ing different group operations has previously been applied to Luby-Rackoff ci- 
phers [PRS02]. On the negative side, a “sliding with a twist” attack [BWOO] 
allows an adversary to recover the key using -\/2 • 2" known plaintexts and 
■\/2-2" work. Finally, if we instantiate the permutation with three Feistel rounds, 
the construction is pseudorandom, but is not super pseudorandom. The attack 
adapts the standard distinguisher for three-round Luby-Rackoff ciphers [LR88] . 
Due to space constraints, as well as the fact that these results follow easily from 
existing techniques, we omit a further discussion. For details, see the full version 
of the paper [GR04]. 

Caveat ( s) Emptor. While the random-oracle model is an extremely useful 
cryptographic tool, there are instances of schemes that are secure in the random 
oracle model, but are insecure for any instantiation of the random oracle by a 
polynomial-time computable function [CGH98, GKOS, BBP04]. We further note 
that the lower bounds we present indicate that n should be chosen so that 2"/^ 
is sufficiently large to thwart distinguishing attacks. We also remark that Even 
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and Mansour gave a 0(2“") upper bound on the adversary’s success probabil- 
ity, whereas our bound resembles 0(2“"/^). However, Even and Mansour only 
proved security against inversions and forgeries whereas we show super pseudo- 
randomness. Moreover, we eliminate the random permutation oracle requirement 
and also give the adversary access to the innards of the cipher. Therefore, we 
expect there to be a sizeable gap in the respective security guarantees. In light of 
these caveats, we stress that our main contribution is in resolving fundamental 
issues from the Even-Mansour work and gaining more theoretical insight into 
block cipher design; we do not recommend this as a practical approach to build- 
ing a block cipher. In fact, efficient random oracle model based block ciphers are 
desired, then Ramzan and Reyzin have a four-round Feistel block cipher con- 
struction in which the middle two rounds use a random oracle, and the outer 
two rounds involve universal hash functions [RROO] . 

Organization. Section 2 reviews prior definitions and constructions. Section 3 
discusses our main construction and security proof. Finally, we make concluding 
remarks in Section 4. 



2 Prior Definitions and Constructions 

We describe definitions and prior constructions that are germane to our work. We 
avoid asymptotic analysis in favor of the “concrete” (or “exact” ) security model 
as laid out by Bellare, Kilian, and Rogaway [BKR94], and Bellare, Canetti, 
Krawczyk [BCK96]. However, our results can be adapted to either model. 

Notation. For a natural number n, we let /„ denote the set of bit strings of 
length n: {0, 1}”. For a bit string x, we let |a;| denote its length. If |x| is even, then 
and x^ denote the left and right halves of the bits respectively; we sometimes 
write X = (x^,x^). If x and y are two bit strings with \x\ = |t/|, we denote by 

R 

x®y their bitwise exclusive OR. If S' is a probability space, then x ^ S denotes 
the process of picking an element from S according to the underlying probability 
distribution. Unless otherwise specified, the underlying distribution is assumed 
to be uniform. By a finite function (or permutation) family T , we denote a set of 
functions with common domain and common range. Let Rand*^^ be the set of 
all functions going from Ik to It, and let Perm’” be the set of all permutations on 
Im- We call a finite function (or permutation) family keyed if every function in 
it can be specified (not necessarily uniquely) by a key a. We denote the function 
given by a as fa- We assume that given a, it is possible to efficiently evaluate fa 
at any point (as well as f~^ in case of a keyed permutation family). For a given 
keyed function family, a key can be any string from where s is known as “key 
length.” (Sometimes it is convenient to have keys from a set other than Is', we 
do not consider such function families simply for clarity of exposition, but our 
results continue to apply in such cases.) For functions / and g, go f denotes the 
function x i-^- g{f{x)). 
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Model of Computation. We model the adversary M as a program for a Ran- 
dom Access Machine (RAM) with black-box access to some number k of oracles, 
each computing some specified function. If (/i, . . . , f^) is a fc-tuple of functions, 
then denotes a fc-oracle adversary who is given black-box oracle access 

to each of the functions fi, . . . , fk- We define M’s “running time” to be the num- 
ber of time steps it takes plus the length of its description (to prevent one from 
embedding arbitrarily large lookup tables in M’s description). 



Pseudorandom Functions and Block Ciphers. The pseudorandomness of 
a keyed function family with domain 7^, and range li captures its compu- 
tational indistinguishability from Rand*^^. The following definition is adapted 
from [GGM84]: 



Definition 1. A pseudorandom function family T is a keyed function family 
with domain Ik, range I(, and key length s. Let A he a 1-oracle adversary. Then 
we define A’s advantage as 



Adv^*^(M) = Pr[a 4^ A : M-^“ 



1] - Pr[/ ^ Rand'^^^ : M^ = 1] . 



For any integers q,t > 0, we define Adv^\q,t) = max^{Adv^*'(M)}, as an 
insecurity function, where the maximum is taken over choices of adversary A 
such that: 



— A makes at most q oracle queries, and 

— the running time of A, plus the time necessary to select a ^ Ig and answer 
A’s queries, is at most t. 

Recall that the Even-Mansour cipher [EM97] operates on a 2n-bit string x 
as follows E{x) = ^2 © P{x © ki) where k\,k 2 € I^n constitutes the keying 
material and P is a random permutation oracle. Here P and P~^ are publicly 
computable (in a black-box fashion) by all parties. Even and Mansour proved 
that E is hard to invert on a point Cq of the adversary’s choice even if the 
adversary has oracle access to E, E~^,P, P~^ subject to the restriction that the 
adversary cannot query the E~^ oracle on the point Cq; i.e., it is hard to find Mq 
such that Mo = (Cq). Similarly, they showed that the adversary cannot 

compute the ciphertext corresponding to a message point Mq of its choice with 
access to these same oracles, but this time subject to the restriction that the 
adversary cannot query the E oracle on point Mq; i.e., it is hard to find Cq 
such that Cq = Ek^.k2{Mo). While these results capture some of the security 
requirements needed for a block cipher, there are stronger notions of security 
for a block cipher. One such notion, proposed by Luby and Rackoff [LR88], 
is called super pseudorandomness. The notion captures the pseudorandomness 
of a permutation family on Ig in terms of its indistinguishability from Perm^, 
where the adversary is given access to both directions of the permutation. In 
other words, it measures security of a block cipher against chosen plaintext and 
ciphertext attacks. We now describe such notions and how to achieve them. 




38 



C. Gentry and Z. Ramzan 



Definition 2. A block cipher V is a keyed permutation family with domain and 
range Ig and key length s. Let A be a 2-oracle adversary. Then we define A’s 
advantage as 






Pr[a ^ Is : AP<^’P- 



1] — Pr[p 4^ Perm^ : A^’^ 



1 ] ■ 



For any integers q,t^^> Adv^'^’’(( 7 , t) specifies the insecurity function (anal- 
ogous to Definition 1). 

Luby and Rackoff showed how to construct a secure block cipher using Feistel 
permutations. 

Definition 3 (Basic Feistel Permutation). Let T be a function family with 
domain and range Let f G !F. Let x = with x^,x^ G In- We denote 

by f the permutation on I^n defined as f{x) = {x^ , x^ (B f (x^)) . Note that it is a 
permutation because f~^{y) = {y^ ® f{y^),y^)- Similarly, let T = {f \ f G T}. 



Definition 4 (Feistel Network). If f\, fg are mappings with domain and 
range In, then we denote by ^(/i,.--,/s) the permutation on / 2 „ defined as 

= fs0...0fi. 

Theorem 1 (Luby-Rackoff ). Let /ii,/i,/ 2,^2 be independently-keyed func- 
tions from a keyed function family T with domain and range In and key space 
Is ■ Let V be the family of permutations on l 2 n with key space I 4 S defined by 
V = ^{h\, /i, / 2 , / 12 ) (the key for an element ofV is simply the concatenation of 
keys for /ii, /i, / 2 , ^2 Then, Adv)?''P(g, t) < {q, f) + (^) (2“”+^ + 2“^”+^) . 

The Luby-Rackoff result proved security when the adversary has access to the 
permutation and its inverse. In our case, we will show security of the Even- 
Mansour cipher when the adversary has black-box access to the cipher, its in- 
verse, and to each of the internal round functions. 

Having presented the classical definitions of block ciphers and Feistel net- 
works, we now describe notions of the Ramzan-Reyzin round security frame- 
work [RROO] which we make use of in the present work. 

Definitions (Round Decomposition [RROO]). Let V , ■ ■ . be 

keyed permutation families, each with domain and range Ii and key length s, 
such that for any key a G Is, Pa = /a ° ° /o • Then is called an 

r-round decomposition for V. For i < j, denote by {i j)a the permutation 
flo . . .0 fl, and by {i ^ j)a the permutation [fi o . . . o /*) . Denote by i ^ j 

and i ^ j the corresponding keyed function families. 

Note that having oracle access to a member of i j means being able to give 
inputs to round i of the forward direction of a block cipher and view outputs 
after round j. Likewise, having oracle access to z <— j corresponds to being able 
to give inputs to round j of the reverse direction of the block cipher and view 
outputs after round i. Thus, the oracle for 1 — > r = P corresponds to the oracle 
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for a chosen plaintext attack, and the oracle for 1 ^ r = V~^ corresponds to 
the oracle for a chosen ciphertext attack. 

We now give a formal security definition of a block cipher when an adversary 
has access to internal rounds. Note that the adversary is allowed oracle access 
to some subset K of the set {i ^ j,i ^ j ■ I < i < j < r}, and the insecurity 
function additionally depends on K. 

Definition 6 (Round Security [RROO]). LetV he a block cipher with domain 
and range Ig, key length s, and some r-round decomposition iF^,...,iF^. Fix 
some subset K = . . . , tt^} of the set {i ^ j,i ^ j ^ < i < j < r}, and let 

A be a k + 2-oracle adversary. Then we define A’s advantage as 



|pr[a Is '■ 



1] - Pr[p ^ Perm^ a^h. A^’^ 



1 ] 



For any integers > 0 and set K, Adv^'^^i specifies our inse- 

curity function (analogous to Definition 2). 

Ramzan and Reyzin [RROO] were the first to consider what happens when 
internal round functions of a Feistel network are available to an external adver- 
sary. 



Theorem 2 (Ramzan- Reyzin). Let fi, f 2 , fs, fi he independently -keyed func- 
tions from a keyed function family T with domain and range In and key space 
Is ■ Let V be the family of permutations on l 2 n with key space I 4 S defined by 
V = ^(/i, / 2 , /s, /r) with the natural 4-round decomposition IF ,T . Let 
K = {i ^ j,i ^ j '■ ^ i ^ j < 3}. Then 






+ 2-2”+!) . 



Ramzan-Reyzin consider the case where all parties have black-box access to 
the internal permutations / 2 , /a- They noted that if the underlying round func- 
tions /i, and /2 are chosen from Rand"^", then one could translate their results 
to the random oracle model wherein / 2 , /a are modeled as random function or- 
acles that are accessible to all parties, including the adversary. 



3 Our Main Result 

We now prove our main result. We use the Ramzan-Reyzin round-security frame- 
work [RROO] to analyze our construction and leverage their techniques to obtain 
the desired result. However, for technical reasons, the proof must also incorpo- 
rate an additional hybrid distribution into the argument. Now, let denote 

the Even-Mansour construction when the internal permutation is replaced by a 
four-round Feistel network with outer round function g and inner round func- 
tion /: T[fk^{x) = k 2 ®<P{gJJ,g){x®ki). Here ki,k 2 G Fn are the keys and 
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f,g are modeled as random function oracles; i.e., they are publicly accessible to 
all parties (including the adversary) and behave like random functions. Observe 
then that the adversary can compute not only the Even-Mansour permutation, 
but also knows its internal structure and has black-box access to the functions 
/ and g around which it is designed. We view this construction as consisting of 
the composition of six round permutations: 

— {x) = X (B ki _ _ 

— 7r3,7T4 = /. Recall that / denotes a permutation on / 2 „ defined as f{x) = 
{x^, x^ 0 f{x^)). 

~ = 9 - 

~ 7Tq^(x) = X(B k2- 

Observe that (M) = o tts o • • • o 7T2 o . We now state our main 

result in the following theorem: 

Theorem 3 (Main Result). Suppose K Q {i ^ j,i ^ j \ 2 < i < j < 5}. 
Let f be modeled as a random oracle, and let k\ and k 2 he picked randomly and 
independently from l 2 n- Let 'I'lfi.^{x) = k 2 (B <L{g, f, f, g){x 0 fci), and R be a 
random permutation on l 2 n- Then 

- 9 ) ■ 2- + (2) • 

Observe that we do not consider any terms of the form {q,f) since we 

assume that the underlying round functions are modeled as random oracles in 
which case such terms will evaluate to 0. 

Recasting the problem in the round-security framework allows us to apply 
the techniques of Ramzan and Reyzin [RROO] (who generalized the techniques 
of Naor and Reingold [NR99] to deal with the extra queries from an oracle with 
internal access). We note that access to the oracles of K is equivalent to access 
to the oracles for / and g^ . Now, consider the following theorem. 

Theorem 4. Let f and g be modeled as random oracles, and let k\ and k 2 he 

picked randomly and independently from l 2 n- TetT'[’^^i.^{x) = k 2 ®'L{g, f, f, g){x(B 

ki), and let R be a random element o/Perm^”. Then, for any 4-oracle adversary 
A (we do not restrict the running time of A) that makes at most Qc queries to 
its first two oracles (either or R,R~^) and at most qof and qog queries 

to its second two oracles (f and g) respectively, it follows that: 

Pr[A^’'^~"’^’0 = 1 ] - Pr[A^T-\f,g = 1 ] 

^ (?c +2(7o/<Zc + 2(7og<Zc + <Zc ~9 c) 2 "0^2^(2'2 "02 2n-|-l^ ^ 



® We remark, however, that one query to an oracle in K may need to be simulated by 
multiple queries to /, g. Therefore, the total number of queries made to / and g is 
an upper bound on the number of queries that would need to be made to an oracle 
in K. 
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Observing that the total number of queries q = qc + qof + <Zog, it is straight- 
forward to see that 

{ql + 2qofqc + 2qogqc + ql ~ qc) < - q. 

Therefore, we see that theorem 4 implies theorem 3. In the sequel, we describe 
the proof of theorem 4. The first part of the proof focuses on the adversary’s 
transcript (i.e., his “view”) and shows that each possible transcript is about as 
likely to occur when A is given S', /, g as when A is given R, /, g. This part of the 
proof also relies on a hybrid distribution ^ to facilitate the proof. The second 
part uses a standard probability argument to show that if the distributions on 
transcripts are similar, then A will have a small advantage in distinguishing ^ 
from R. 

Proof of Theorem 4. To start with, let P denote the permutation oracle 
(either ^ or R) that A accesses. From now on, for notational convenience we 
ignore the superscripts f,g and the subscripts ki,k 2 associated with 'P. Let 
and denote the oracles that compute the functions / and g (note that when A 
gets P as its permutation oracle, / and g are actually used as the round function 
in the computation of the oracle P = P; when A gets R as its permutation 
oracle, / and g are independent oi P = R). The machine A makes two types of 
queries to the oracle P: (-l-,x) which asks to obtain the value of P{x), or {—,y) 
which asks to obtain the value of P~^{y) - where both x and y are in / 2 „. We call 
these cipher queries. We define the query-answer pair for the i*^ cipher query as 
{xi,yi) G hn X hn if -4’s query was (-I-, Xi) and yi is the answer it received from P 
or its query was {—,yi) and Xi is the answer it received. We assume that A makes 
exactly qc cipher queries and we call the sequence {(xi, ?/i), . . . , {xq^,yq^)}p the 
cipher-transcript of A. In addition, A can make queries to and . We call 
these oracle queries. We denote these queries as: {O^ ,x') {resp. {0^,x')) which 
asks to obtain f{x') {resp. g{x')). We define the query-answer pair for the 
oracle query as (x',y') G In ^ In if -4’s query was {Ql ,x') and the answer it 
received was y' and as {x'l,y") G In In if ^’s query was (0®,x") and the 
answer it received was y" . We assume that A makes qof and qog queries to 
QI and O® respectively. We call the sequence 2/1), ■ • • , the 

/-oracle-transcript of A and {{x”,y”), . . . , the g-oracle-transcript 

of A. Note that since A is computationally unbounded, we can make the standard 
assumption that ^ is a deterministic machine. Under this assumption, the exact 
next query made by A can be determined by the previous queries and the answers 
received. We formalize this as follows: 

Definition 7. We denote the i + j + k + query A makes as a function of 
the first i+j + k query-answer pairs in A’s cipher and oracle transcripts (where 
either i < qc or j < qof or k < qog) by: 



C^[{(a;i, 2/i), • ■ • , (a:i, 2/i)}p, {(x'l, l/i), . . . , 



{xby')}of,{{^i,yi),---A<,yk)}o^ 
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For the case that all queries have been made (i.e., i = qc,j = qof,k = qog), 
we define the above expression to denote A’s output as a function of its cipher 
and oracle transcripts. 

Definition 8. Let a = {Tp,Tf,Tg) be a three tuple comprising the sequences 
Tp = {{xi,yi),...,{xq^,yqj}p, Tf = {{x[,y[), . . . ,{x'q^^,y'g^^)}of , and Tg = 
{{xf,y'{),...,{Xg^^,y'g^^)}os, and where for 1 < i < qc we have that {xi,yi) G 
l 2 n X l 2 n, fov 1 < j < Pof , wc havc that {x'j,y'j) G /„ x and for 1 < fc < qog, 
we have that {x'f,y'f.) G 'x In- Then, u is a possible A-transcript if for every 
1 < t < 9c; for every I < j < qof and for every 1 < fc < qog, 

CA[{{xl,yl),■■■,{x^,y^)}p,{{x[,y[),...,{x'g,yJ)}of{{x'|,y'|),...,{x'f,y'f)}o!}] G 

{(+,Xi+i), (-,1/i+i), 

We now consider two useful processes for answering ^’s cipher queries. 

Definition 9. Let F denote the process in which the cipher queries and f -oracle 
queries are answered as they would be for F, however the g-oracle queries are 
answered by another independent random function oracle h. 

Definition 10 . Let R denote the process that answers all oracle queries as T 
would, but answers the cipher query of A as follows: 

1. If A’s query is {-\-,Xi) and for some 1 < j < i the query-answer pair is 
(xi,yi), then R answers yi. 

2. If A’s query is {—,yi) and for some 1 < j < i the query-answer pair is 
(xi,yi), then R answers Xi. 

3. If neither of the above happens, then R answers with a uniformly chosen 
element in l 2 „. 

We formalize the fact that R’s answers may not be consistent with any func- 
tion, let alone any permutation. 

Definition 11 . Let a' = . . . , (a;g_,,t/q^)}p be any possible A-cipher 

transcript. We say that a' is inconsistent if for some 1 < j < i < qc the corre- 
sponding query-answer pairs satisfy Xi = xj but yt yj, or Xi Xj but yi = yj. 
Likewise, we call any A-transcript a that contains u' inconsistent. 

Note 1. If cr = (Tp,T/,Tg), withsub-transcripts Tp = {{xi,yi), ... , {xq.^,yq^)}p, 
Tf = {{x[,y[),---,{x'q^j,yq,f)}of, and Tg = {{x'(,y'{},. . . ,{x''^^,y'lJ}o,,is a 
possible .4-transcript, we assume from now on that if a is consistent and iii j 
then Xi Xj, yi yj, x' x'j, and x'( x". This formalizes the concept 

that A never repeats a query if it can determine the answer from a previous 
query-answer pair. 

Fortunately, the process R often behaves like a permutation. It turns out 
that if A is given oracle access to either i? or i? to answer its cipher queries, it 
will have a negligible advantage in distinguishing between the two. Proposition 1 
states this more formally. Before doing so, we first consider the distributions on 
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the various transcripts seen by ^ as a function of the different distributions on 
answers it can get. 

Definition 12. The discrete random variables T^, Tr, denote the cipher 
and oracle transcripts seen by A when its cipher queries are answered by T, T, 
R, R respectively, and its oracle queries are answered by or . 

Remark 1. Observe that according to our definitions and assumptions, 

and C^{T^) denote the same random variable. The same is true for the other 

discrete random variables. 

Proposition 1. |Pr^[C'^(rjj) = 1] - PrR[C^(rR) = 1]| < (‘^ 2 ) ' 2"^”- 

The proof of this proposition has appeared in numerous places [NR99, RROO]. 
The idea is to observer that Tr, have the same distribution conditioned on 
Tj^ being consistent. One can then bound the probability that is inconsistent 
by ( 2 °) ■ 2“^". The proof can be completed by a standard probability argument. 
We omit the details, though they are available in the full version [GR04]. We now 
proceed to obtain a bound on the advantage that A will have in distinguishing 
between and T^. We first show that Tip and are identically distributed, 
unless the input to g in a cipher query related to T matches the input to g in 
an oracle query related to T. We can compute the likelihood of such an event as 
a function of only k\ and k 2 - we term this event BadG and define it next; we 
then compute the probability that it occurs. 

Definition 13. For every specific pair of keys ki,k 2 € hn, we define BadG(fci, fc 2 ) 
to be the set of all possible and consistent transcripts a = (Tp,Tf,Tg), with sub- 
transcripts Tp = {{xi,yi),...,{xq^,yqj}p, Tf = {{x'-^,y'i) {x'q^^,y'q^g)}oi , 

and Tg = {{x'l,y'() , . . . , {x'q^^,y'q^^)'\o9 satisfying at least one of the following 
events: 

— BGl: there exists 1 < i < qc, 1 < j < qog such that xf 0 fcf" = x" , or 

— BG2: there exists I < i < qc, 1 < J < qog such that yf (Bk^ = x”. 

Proposition 2. Let ki,k 2 be randomly and independently chosen from l 2 n- For 
any possible and consistent A — transcript a = {Tp,Tf ,Tg) , with sub-transcripts 
Tp = {{xi,yi),...,{xq^,yqj}p, Tj = {{x[,y[), . . . ,{x'g^^,y'q^^)}of , and Tg = 

{ {x'l > Vi ) . • • ■ > Wqog > y'qog )}o:>, wc havc that 

Pr [a G BadG(A:i, ^ 2 )] < “^qogQc • 2“". 

ki,k2 

Proof. (Sketch) A transcript a is in BadG(fci, /C 2 ) if one of BGl or BG2 occur. 
We obtain an upper bound on the probabilities of each of these events separately 
by using the fact that fci, k 2 are chosen uniformly at random from / 2 „. Applying 
the union bound to sum the individual probabilities yields the desired result. 

We now show that T,p and T,p are identically distributed if neither BGl nor 
BG2 occur. 
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Lemma 1 . Let a = {Tp,Tf,Tg), where Tp = {{xx,yi), . . . ,{xq^,yq^))p, Tf = 
{ (a;i , y'l ) , • ■ • , {x'q^j , y'q^j )}os, andTg = { {x'{ (x" ^ ^ ) }os , &e any pos- 

sible and eonsistent A — transcript, then 

Pr[T,p = cr|cr ^ BadG(fci,fc2)] = Pr[Tx = a]. 

Proof. (Sketch) Observe that xf (B A x'- and yf (B A x'- for all i,j 
whenever a (f BadG(fci, fe). In such a case, the inputs to g during the cipher 
queries are distinct from the inputs to g during the 5-oracle queries. Since there 
is no overlap in the two sets of queries, since g is modeled as a random oracle, 
and since the events depend only on the choice of ki and /c2 (which are chosen 
independently of g), the distribution is identical to one in which g is replaced by 
another independently chosen random oracle h. 

We now focus on T^. It turns out that and are identically distributed 
unless the same value is input to the inner random oracle / on different oc- 
casions (we show this in Lemma 2 ). We can compute the likelihood of this 
event as a function of only k\, ^2, and g. We call this event “Bad” (in the next 
definition) and obtain a bound on the probability that it actually occurs (in 
Proposition 3 ). 

Definition 14 . For every specific pair of keys k\,k2 G l2n and oracle g G 
Rand"^", define Bad{ki,k2,g) to be the set of all possible and consistent tran- 
scripts a = (Tp,Tf,Tg), with sub-transcripts Tp = {{xi,yi), . . . , {xg^,yqA}p, 
Tf = {{x'i,y'i), ■ ■ ■ ,{x'q^g,y'q^f)}of , and Tg = {(x'/, 5'/), . . . , (x" 5" ^)}o9, sat- 

isfying at least one of the following events: 

- Bl: 3 1 < f < j < 5c such that g{xf 0 /cf ) (B xf = g{xf 0 /cf ) 0 x^ 

- B 2 : 3 1 < f < j < 5c such that yf 0 g{y^ 0 fc|') = yf ® giyf 0 k^) 

- B 3 : 3 1 < z, j < 5c such that g{xf- 0 kfi) 0 xf 0 fcf = 0 0 g{y^ 0 k^) 

- B 4 : 3 1 < z < 5c, 1 < j < 5o/ such that g{xf 0 kf) 0 xf 0 fcf = x' 

- B 5 : 3 1 < z < 5c, 1 < j < 50/ such that k^ (B yf (B g{yf 0 fc|') = x'y 

Proposition 3 . Let k\,k2 be randomly and independently chosen from l2n- 
Then, for any possible and consistent A — transcript a = (Tp,Tf,Tg), with sub- 
transcripts Tp = {{xi,yi),...,{xq^,yqA}p, Tf = {{x[,y[) , . . . , {x'g^yy'q^^)}oi , 
and Tg = {{x'(,y'{), {Xq^yyq„J}os , we have that 

^^Pr^[CTG Bad(fci,fc2,5)] < ^5^ 0 25o/5c 0 2 • (^2°)) 

Proof. (Sketch) Recall that a transcript a G Bad(fci,fc2,5) if at least one of 
the above events occurs. We obtain an upper bound on the probabilities of 
each of these events separately using the fact that ki , k2 are chosen uniformly at 
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random from l 2 n and that g is chosen uniformly at random from Rand"^". Ap- 
plying the union bound to sum the probabilities for each event yields the desired 
result. 

Lemma 2. Let a he defined as in Lemma 1. Then, 

i Bad(fci,A:2,5)] = PA^r = A- 

'I' R 

Proof. It is easy to see that Pr^[T^ = cr] = (following an argu- 

ment in [NR99], [RROO]). Now, fix k\,k 2 ,g to be such that a ^ Bad(A:i, ^ 2 , 5 ). 
We will now compute = a] (recall that in the definition of if', ft. is a 

random oracle independent of / and g, and note that the probability is now 
only over the choice of / and ft). Since ct is a possible A-transcript, it follows 
that = a if and only if yi = ki (B T{g, f, f,g){xi 0 ^ 2 ) for all 1 < t < qc, 
y'j = f{xj), for all 1 < j < qof, and y'J = g{x”) for all 1 < j < qog- If we define 
S'* = ftf 0 xf 0 g(xf 0 ftf) and Ti = k§ ® yf- 0 g{yf 0 kJf), then 

ivAvA = xf) 44> f{Si) 0 ftf = Tj 0 xf and f{Ti) 0 ftf = Vi ® S^. 

Now observe that for all I < f < j < gc, «5'i yf Sj and Ti yf Tj (otherwise 
a G Bad(fci, k 2 , g)). Similarly, for all 1 < i, j < q^ Si yf Tj. In addition, it follows 
again from the fact that cr ^ Bad(fci, k 2 ,g) that for all 1 < i < gc and 1 < j < qog, 
x' yf Sj and x' yf Tj. So, if cr Bad(fti, ^ 2 ) ft) all the inputs to / are distinct. Since 
/ is modeled as a random oracle, Pry /j[T,^ = cr] = (the cipher 

transcript contributes 2 “^"®'= and the oracle transcripts contribute to 

the probability). Thus, for every choice of k\,k 2 ,g such that cr ^ Bad(fti, ^ 2 , ft), 
the probability that T^ = a is exactly the same: Therefore: 

Pr^[T^ = a\a Bad(fci, * 2 , ft)] = 2 -( 29 c+ 9 o/+go.)n^ 

The rest of the proof consists of using the above lemma and Propositions 1, 2 
and 3, as well as Lemmas 1 and 2, in a probability argument. The idea is to first 
express the adversary’s advantage as a function of how its distinguishing machine 
behaves on specific transcripts. Then, these probabilities are re-expressed to 
incorporate the conditions Bad and BadG. By basic manipulation of probabilities, 
we can show that the adversary’s advantage is bounded above by the probability 
of the conditions Bad or BadG occurring, plus the probability that the transcript 
is inconsistent. An additional term of the form • 2“^" also appears because 
of an application of the triangle inequality. The complete details are omitted due 
to space constraints, though are available in the full version [GR04]. 

4 Conclusions 

We resolved a fundamental open problem of the Even-Mansour work by demon- 
strating that the underlying random permutation oracle could be instantiated 
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with a construction based on random function oracles. There are many avenues 
for future work. For example, we may be able to apply our techniques to other 
situations where random permutation oracles are useful. Also, there is a sizeable 
gap between the best known key-recovery attack and the bound achieved in our 
security proof. Perhaps that gap can be decreased by developing a variant on 
the slide-with-twist that exploits the structure of our construction. 
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Abstract. We consider the problem of defining and achieving plaintext- 
aware encryption without random oracles in the classical public-key 
model. We provide definitions for a hierarchy of notions of increasing 
strength: PAO, PAl and PA2, chosen so that PAlJ-IND-CPA ^ IND- 
CCAl and PA2-I-IND-CPA ^ IND-CCA2. Towards achieving the new 
notions of plaintext awareness, we show that a scheme due to Damgard 
[12], denoted DEG, and the “lite” version of the Cramer-Shoup scheme 
[11], denoted CS-lite, are both PAO under the DHKO assumption of [12], 
and PAl under an extension of this assumption called DHKl. As a result, 
DEG is the most efficient proven IND-GCAl scheme known. 



1 Introduction 

The theory of encryption is concerned with defining and implementing notions 
of security for encryption schemes [22, 23, 17, 25, 27, 15]. One of the themes in its 
history is the emergence of notions of security of increasing strength that over 
time find applications and acceptance. 

Our work pursues, from the same perspective, a notion that is stronger than 
any previous ones, namely plaintext awareness. Our goal is to strengthen the 
foundations of this notion by lifting it out of the random-oracle model where 
it currently resides. Towards this end, we provide definitions of a hierarchy of 
notions of plaintext awareness, relate them to existing notions, and implement 
some of them. We consider this a first step in the area, however, since important 
questions are left unresolved. We begin below by reviewing existing work and 
providing some motivation for our work. 

1.1 Background 

Intuitively, an encryption scheme is plaintext aware (PA) if the “only” way that 
an adversary can produce a valid ciphertext is to apply the encryption algorithm 
to the public key and a message. In other words, any adversary against a PA 
scheme that produces a ciphertext “knows” the corresponding plaintext. 

Random-Oracle model work. The notion of PA encryption was first sug- 
gested by Bellare and Rogaway [6], with the motivation that PA-I-IND-CPA 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 48-62, 2004. 
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should imply IND-CCA2. That is, security against chosen-plaintext attack 
coupled with plaintext awareness should imply security against adaptive chosen- 
ciphertext attack. The intuition, namely, that if an adversary knows the plaintext 
corresponding to a ciphertext it produces, then a decryption oracle must be use- 
less to it, goes back to [8,9]. Bellare and Rogaway [6] provided a formalization 
of PA in the random oracle (RO) model. They asked that for every adversary A 
taking the public key and outputting a ciphertext, there exist an extractor that, 
given the same public key and a transcript of the interaction of A with its RO, 
is able to decrypt the ciphertext output by A. We will refer to this notion as 
PA-BR. 

Subsequently, it was found that PA-BR was too weak for PA-BR-I-IND-CPA 
to imply IND-CCA2. Bellare, Desai, Pointcheval and Rogaway [4] traced the 
cause of this to the fact that PA-BR did not capture the ability of the adversary 
to obtain ciphertexts via eavesdropping on communications made to the receiver. 
(Such eavesdropping can put into the adversary’s hands ciphertexts whose de- 
cryptions it does not know, lending it the ability to create other ciphertexts 
whose decryptions it does not know.) They provided an appropriately enhanced 
definition (still in the RO model) that we denote by PA-BDPR, and showed that 
PA-BDPR-bIND-CPA ^ IND-CCA2. 

Plaintext awareness is exploited, even though typically implicitly rather than 
explicitly, in the proofs of the IND-CCA2 security of numerous RO-model en- 
cryption schemes, e.g., [16,28,7]. 

PA AND THE RO MODEL. By restricting the above-mentioned RO-model defini- 
tions to schemes and adversaries that do not query the RO, one obtains natural 
counterpart standard (i.e., non-RO) model definitions of PA. These standard- 
model definitions turn out, however, not to be achievable without sacrificing 
privacy, because the extractor can simply be used for decryption. This indicates 
that the use of the RO model in the definitions of [6, 4] is central. 

Indeed, PA as per [6,4] is “designed” for the RO model in the sense that 
the definition aims to capture certain properties of certain RO-model schemes, 
namely, the fact that possession of the transcript of the interaction of an adver- 
sary with its RO permits decryption of ciphertexts formed by this adversary. It 
is not clear what counterpart this intuition has in the standard model. 

The lack of a standard-model definition of PA results in several gaps. One 
such arises when we consider that RO-model PA schemes are eventually instan- 
tiated to get standard-model schemes. In that case, what property are these 
instantiated schemes even supposed to possess? There is no definition that we 
might even discuss as a target. 

PA VIA KEY REGISTRATION. PA without ROs was first considered by Herzog, 
Liskov and Micali [21], who define and implement it in an extension of the usual 
public-key setting. In their setting, the sender (not just the receiver) has a public 
key, and, in a key-registration phase that precedes encryption, proves knowledge 
of the corresponding secret key to a key-registration authority via an interactive 
proof of knowledge. Encryption is a function of the public keys of both the sender 
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and the receiver, and the PA extractor works by extracting the sender secret key 
using the knowledge extractor of the interactive proof of knowledge. 

Their work also points to an application of plaintext-aware encryption where 
the use of the latter is crucial in the sense that IND-CCA2-secure encryption 
does not suffice, namely to securely instantiate the ideal encryption functions of 
the Dolev-Yao model [14]. 

1.2 Our Goals and Motivation 

The goal of this work is to provide definitions and constructions for plaintext- 
aware public-key encryption in the standard and classical setting of public-key 
encryption, namely the one where the receiver (but not the sender) has a public 
key, and anyone (not just a registered sender) can encrypt a message for the 
receiver as a function of the receiver’s public key. In this setting there is no 
key-registration authority or key-registration protocol akin to [21]. 

Motivations include the following. As in the RO model, we would like a 
tool enabling the construction of public-key encryption schemes secure against 
chosen-ciphertext attack. We would also like to have some well-defined notion 
that can be viewed as a target for instantiated RO-model PA schemes. (One 
could then evaluate these schemes with regard to meeting the target.) 

Additionally, we would like to enable the possibility of instantiating the ideal 
encryption functions of the Dolev-Yao model [14] without recourse to either 
random oracles or the key-registration model. Note that the last is an application 
where, as per [21], PA is required and IND-CCA2 does not suffice, meaning 
plaintext-awareness is crucial. (However, see also [1].) 

As we will see later, consideration of PA in the standard model brings other 
benefits, such as some insight, or at least an alternative perspective, on the 
design of existing encryption schemes secure against chosen-ciphertext attack. 
Let us now discuss our contributions. 

1.3 Definitions 

The first contribution of this paper is to provide definitions for plaintext-aware 
encryption in the standard model and standard public-key setting. 

Overview. We provide a hierarchy consisting of three notions of increasing 
strength that we denote by PAO, PAl and PA2. There are several motivations 
for this. One is that these will be seen (in conjunction with IND-CPA) to imply 
security against chosen-ciphertext attacks of different strengths. Another is that, 
as will become apparent, PA is difficult to achieve, and progress can be made by 
first achieving it in weaker forms. Finally, it is useful, pedagogically, to bring in 
new definitional elements incrementally. 

A CLOSER LOOK. Our basic definitional framework considers a polynomial-time 
adversary C, called a ciphertext creator, that takes input the public key and 
can query ciphertexts to an oracle. A polynomial-time algorithm C* is said to 
be a successful extractor for C if it can provide replies to the oracle queries of C 
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PAO+IND-CPA PAH-IND-CPA PA2-bIND-CPA 




Fig. 1. An arrow is an implication, and, in the directed graph given by the arrows, 
there is a path from A to B if and only if A implies B. The hatched arrows represent 
separations. Solid lines represent results from this paper, while dashed lines represent 
results from prior work [4, 15]. The number on an arrow or hatched arrow refers to the 
theorem in this paper that establishes this relationship. Absence of a number on a solid 
arrow means the result is trivial 



that are computationally indistinguishable from those provided by a decryption 
oracle. 

An important element of the above framework is that the extractor gets as 
input the same public key as the ciphertext creator, as well as the coin tosses 
of the ciphertext creator. This reflects the intuition that the extractor is the 
“subconscious” of the adversary, and begins with exactly the same information 
as the adversary itself. 

We say that an encryption scheme is PAO (respectively, PAl) if there exists 
a successful extractor for any ciphertext creator that makes only a single oracle 
query (respectively, a polynomial number of oracle queries). 

Eavesdropping capability in PA2 is captured by providing the ciphertext 
creator C with an additional oracle that returns ciphertexts, but care has to be 
taken in defining this oracle. It does not suffice to let it be an encryption oracle 
because we want to model the ability of the adversary to obtain ciphertexts whose 
decryptions it may not know. Our formalization of PA2 allows the additional 
oracle to compute a plaintext, as a function of the query made to it and coins 
unknown to C, and return the encryption of this plaintext to C. 

Formal definitions of PAO, PAl and PA2 are in Section 3. 

1.4 Relations 

PA by itself is not a notion of privacy, and so we are typically interested in PA 
coupled with the minimal notion of privacy, namely IND-CPA [22, 23]. We con- 
sider six notions, namely, PAO-I-IND-CPA, PAl-l- IND-CPA and PA2-I-IND-CPA, 
on the one hand, and the standard notions of privacy IND-CPA, IND-CCAl 
[25] and IND-CCA2 [27], on the other. We provide implications and separa- 
tions among these six notions in the style of [4, 15]. The results are depicted in 
Figure 1. For notions A, B, an implication, represented by A — > B, means that 
every encryption scheme satisfying notion A also satisfies notion B, and a separa- 
tion, represented by A B, means that there exists an encryption scheme satis- 
fying notion A but not satisfying notion B. (The latter assumes there exists some 
encryption scheme satisfying notion A, since otherwise the question is vacuous.) 
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Figure 1 shows a minimal set of arrows and hatched arrows, but the relation 
between any two notions is resolved by the given relations. For example, IND- 
CCAl 7 ^ PAl+IND-CPA, because, otherwise, there would be a path from IND- 
CCA2 to PAO+IND-CPA, contradicting the hatched arrow labeled 3. Similarly, 
we get PAO -/-* PAl -/-* PA2, meaning the three notions of plaintext awareness 
are of increasing strength. 

The main implications are that PAl+IND-CPA implies IND-CCAl and 
PA2+IND-CPA implies IND-CCA2. The PAl+IND-CPA ^ IND-CCAl result 
shows that even a notion of PA not taking eavesdropping adversaries into account 
is strong enough to imply security against a significant class of chosen-ciphertext 
attacks. Since the PA+IND-CPA ^ IND-CCA2 implication has been a moti- 
vating target for definitions of PA, the PA2+IND-CPA ^ IND-CCA2 result 
provides some validation for the definition of PA2. 

Among the separations, we note that IND-CCA2 does not imply PAO, mean- 
ing even the strongest form of security against chosen-ciphertext attack is not 
enough to guarantee the weakest form of plaintext awareness. 

1.5 Constructions 

The next problem we address is to find provably-secure plaintext-aware encryp- 
tion schemes. 

Approaches. A natural approach to consider is to include a non-interactive 
zero-knowledge proof of knowledge [13] of the message in the ciphertext. How- 
ever, as we explain in [2], this fails to achieve PA. 

As such approaches are considered and discarded, it becomes apparent that 
achieving even the weaker forms of PA in the standard (as opposed to RO) 
model may be difficult. We have been able to make progress, however, under 
some strong assumptions that we now describe. 

DHK ASSUMPTIONS. Let G be the order q subgroup of where q,2q + 1 

are primes, and let g be a generator of G. Damgard [12] introduced and used an 
assumption that states, roughly, that an adversary given g°‘ and outputting a 
pair of the form ( 3 ^,( 7 “^) must “know” b. The latter is captured by requiring an 
extractor that given the adversary coins and inputs can output b. We call our 
formalization of this assumption (cf. Assumption 2) DHKO.^ We also introduce 
an extension of this assumption called DHKl (cf. Assumption 1), in which the 
adversary does not just output one pair ( 5 *', but instead interacts with the 



^ Another formalization, called DA-1, is used by Hada and Tanaka [19]. (We refer 
to the full version of their paper [19], which points out that the formalization of 
the preliminary version [20] is wrong.) This differs from DHKO in being for a non- 
uniform setting. DA-1 is called KEAl by [5], based on Naor’s terminology [24]: KEA 
stands for “knowledge of exponent.” Hada and Tanaka [19] also introduced and used 
another assumption, that they call DA-2 and is called KEA2 in [5], but the latter 
show that this assumption is false. The DHKO/DA-l/KEAl assumptions, to the best 
of our knowledge, are not known to be false. 
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extractor, feeding it such pairs adaptively and each time expecting back the 
discrete logarithm of the first component of the pair. 

The deg scheme. Damgard presented a simple ElGamal variant that we call 
DEG. It is efficient, requiring only three exponentiations to encrypt and two to 
decrypt. 

We prove that DEG is PAO under the DHKO assumption and PAl under 
the DHKl assumption. Since DEG is easily seen to be IND-GPA under the 
DDH assumption, and we saw above that PAl-l-IND-GPA ^ IND-GGAl, a 
consequence is that DEG is IND-GGAl assuming DHKl and DDH. DEG is in 
fact the most efficient IND-GGAl scheme known to date to be provably secure 
in the standard model. 

Damgard [12] claims that DEG meets a notion of security under ciphertext 
attack that we call RPR-GGAl, assuming DHKO and assuming the ElGamal 
scheme meets a notion called RPR-GPA. (Both notions are recalled in the full 
version of this paper [2], and are weaker than IND-GGAl and IND-GPA, re- 
spectively). As we explain in [2], his proof has a flaw, but his overall approach 
and intuition are valid, and the proof can be fixed by simply assuming DHKl in 
place of DHKO. In summary, our contribution is (1) to show that DEG meets a 
stronger and more standard notion of security than RPR-GGAl, namely IND- 
GGAl, and (2) to show it is PAO and PAl, indicating that it has even stronger 
properties, and providing some formal support for the intuition given in [12] 
about the security underlying the scheme. 

GS-Lite. GS-lite is a simpler and more efficient version of the Gramer-Shoup 
encryption scheme [11] that is IND-GGAl under the DDH assumption. We show 
that GS-lite is PAO under the DHKO assumption and PAl under the DHKl 
assumption. (IND-GPA under DDH being easy to see, this again implies GS-lite is 
IND-GGAl under DHKl and DDH, but in this case the conclusion is not novel.) 
What we believe is interesting about our results is that they show that some form 
of plaintext awareness underlies the GS-lite scheme, and this provides perhaps 
an alternative viewpoint on the source of its security. We remark, however, that 
DEG is more efficient than GS-lite. 

Warning and discussion. DHKO and DHKl are strong and non-standard 
assumptions. As pointed out by Naor [24], they are not efficiently falsifiable. 
(However, such assumptions can be shown to be false as exemplified in [5]). 
However standard-model schemes, even under strong assumptions, might provide 
better guarantees than RO model schemes, for we know that the latter may 
not provide real-world security guarantees at all [10,26, 18,3]. Also, PA without 
random oracles is challenging to achieve, and we consider it important to “break 
ground” by showing it is possible, even if under strong assumptions. 

Open questions. The central open question is to find an IND-GPA -I-PA2 
scheme provably secure under some plausible assumption. We suggest, in partic- 
ular, that an interesting question is whether the Gramer-Shoup scheme, already 
known to be IND-GGA2, is PA2 under some appropriate assumption. (Intu- 
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itively, it seems to be PA2.) It would also be nice to achieve PAO or PAl under 
weaker and more standard assumptions than those used here. 



2 Notation and Standard Definitions 

We let N = {1,2,3, .. .}. We denote by £ the empty string, by |a:| the length of 
a string x, by x the bitwise complement of x, by “||” the string-concatenation 
operator, and by the string of fc G N ones. We denote by [] the empty list. 
Given a list L and an element x, L@x denotes the list consisting of the elements 
in L followed by x. If S' is a randomized algorithm, then S{x,y, . . R) denotes 
its output on inputs x, y, . . . and coins R; s ^ S{x,y , . . .) denotes the result of 
picking R at random and setting s = S(x, y, . . . ; R); and [S(x, y, . . .)] denotes 
the set of all points having positive probability of being output by S on inputs 
x,y, . . .. Unless otherwise indicated, an algorithm is randomized. 

Encryption schemes. We recall the standard syntax. An asymmetric (also 
called public-key) encryption scheme is a tuple A£ = (/C, S, P, MsgSp) whose 
components are as follows. The polynomial-time key-generation algorithm K, 
takes input 1^, where fc G N is the security parameter, and returns a pair (pk, sk) 
consisting of a public key and matching secret key. The polynomial-time encryp- 
tion algorithm £ takes a public key pk and a message M to return a ciphertext 
C. The deterministic, polynomial-time decryption algorithm T> takes a secret 
key sk and a ciphertext C to return either a message M or the special sym- 
bol T indicating that the ciphertext is invalid. The polynomial-time computable 
message-space function MsgSp associates to each public key pk a set MsgSp(pk) 
called the message space of pk. It is required that for every k G N 

Pr [ (pk, sk) ^ K-il'") ; M ^ MsgSp(pk) ; C £(pk, M) : V{sk, G) = M ] = 1 . 

Standard security notions. We recall the definitions of IND-CPA, IND- 
CCAl, and IND-CCA2 security that originate in [22], [25], and [27], respectively. 
We use the formalizations of [4]. Let A£ = (/C, I?, MsgSp) be an asymmetric 

encryption scheme, let fc G N and 6 G {0, 1}. Let X be an algorithm with access 
to an oracle. For aaa G {cpa, ccal, cca2}, consider the following experiment 

Experiment Exp]^£ ^{k) 

{pk,sk) ^ ] (Mo,Mi,St) 4 ^ X°i( )(find,pk) ; C<^£{pk,Mb) 

d ^ ) (guess, G, St) ; Return d 

where 

If aaa = cpa then Oi{-) = e and 02{-) = s 

If aaa = ccal then Oi{-) = T>sk{-) and 02{-) = £ 

If aaa = cca2 then Oi(-) = Vsk(-) and O 2 O) = T>st(-) 

In each case it is required that Mq, Mi G MsgSp(pk) and jMo] = |Mij. In the 

case of IND-CCA2, it is also required that X not query its decryption oracle with 
ciphertext C. We call X an ind-aaa-adversary. The ind-aaa-advantage of X is 
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Experiment ^ £,(fc) 

{pk, sk) 4 - ; X (pT) ; d - 3 - D{x) ; Return d 

Experiment c d c* (^) 

{pk,sk)^]C{l'^) 

Choose coins R[C],_R[C*] for C, C*, respectively; St[C*] <— {pk,R[C]) 

Run C on input pk and coins -R[C] until it halts, replying to its oracle queries 
as follows: 

- If C makes query Q then 

(M, St[C*]) ^ C*{Q, St[C*]; R[C*]) ; Return M to C as the reply Endlf 
Let X denote the output of C ; d D{x) ; Return d 

Fig. 2. Experiments used to define PAl and PAO 



A j ind-aaa 



(fc) = Pr 



T71 _ ind-aaa - 1 

Exp^^x 



{k) = l 



— Pr 



TTi _ind-aaa- 0 / 7 \ i 

^^PA£,X (fc) = 1 



For AAA G {CPA, CCAl, CCA2}, A£ is said to be IND-AAA secure 
A£ X (■) negligible for every polynomial-time ind-aaa-adversary X. 



if 






3 New Notions of Plaintext Awareness 



In this section we provide our formalizations of plaintext-aware encryption. We 
provide the formal definitions first and explanations later. We begin with PAl, 
then define PAO via this, and finally define PA2. 



Definition 1. [PAl] Let A£ = (/C,£,I?,MsgSp) be an asymmetric encryption 
scheme. Let C be an algorithm that has access to an oracle, takes as input a 
public key pk, and returns a string. Let D be an algorithm that takes a string 
and returns a bit. Let C* be an algorithm that takes a string and some state 
information, and returns a message or the symbol _L, and a new state. We call C 
a ciphertext- creator adversary, D a distinguisher, and C* a pal -extractor. For 
fc € N, we define the experiments shown in Figure 2. The pal-advantage of C 
relative to D and C* is 






(fc) = Pr 



Exp[4£^c,d(^) ~ 1 



— Pr 



Exp[4£^C,D,C* (^) — 1 



We say that C* is a successful pal-extractor for C if for every polynomial- 
time distinguisher D the function c*(') is negligible. We say AS is 

PAl secure if for any polynomial-time ciphertext creator there exists a successful 
polynomial-time pal-extractor. | 



Definition 2. [PAO] Let A£ be an asymmetric encryption scheme. We call a 
ciphertext-creator adversary that makes exactly one oracle query a paO ciphertext 
creator. We call a pal-extractor for a paO ciphertext creator a paO- extractor. We 
say that A£ is PAO secure if for any polynomial-time paO ciphertext creator 
there exists a successful polynomial-time paO-extractor. | 
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Experiment ^ p £,(fc) 

(pk, sk) 4- ; Clist ^ [] 

Choose coins i?[C],_R[P] for C,P, respectively; St[P] <— e 

Run C on input pk and coins P[C] until it halts, replying to its oracle queries 

as follows: 

- If C makes query (dec, Q) then 

M <— T>{sk, Q) ; Return M to C as the reply Endlf 

- If C makes query (enc, Q) then 

(M, St[P]) ^ P(Q, St[P]; R[P]) ; C 4 !- g{pk, M ) ; Clist ^ Clist @ C 
Return C to C as the reply Endlf 
Let X denote the output of C ; d - 3 - D{x) ; Return d 



Experiment ^ p p, p,, (k) 

(pk,sk) 4^ ; Clist ^ [] 

Choose coins P[C], P[P], P[C*] for C, P, C* , respectively 
St[P] ^ e ; St[C*] ^ (pk, P[C]) 

Run C on input pk and coins P[C] until it halts, replying to its oracle queries 
as follows: 

- If C makes query (dec, Q) then 

(M,St[C*]) ^ C*(Q, Clist, St[C*];P[C*]) 

Return M to C as the reply Endlf 

- If C makes query (enc, Q) then 

(M, St[P]) ^ P(Q, St[P]; R[P]) ; C ^ £(pk, M ) ; Clist ^ Clist @ C 
Return C to C as the reply Endlf 
Let X denote the output of C ; d 4 ?- D(x) ; Return d 

Fig. 3. Experiments used to define PA2 

We now explain the ideas behind the above formalisms. The core of the 
formalization of plaintext awareness of asymmetric encryption scheme A£ = 
(/C, £, P, MsgSp) considers a polynomial-time ciphertext-creator adversary C 
that takes input a public key pk, has access to an oracle and returns a string. 
The adversary tries to distinguish between the cases that its oracle is T>(sk, •), or 
it is an extractor algorithm C* that takes as input the same public key pk. PAl 
security requires that there exist a polynomial-time C* such that C’s outputs in 
the two cases are indistinguishable. We allow C* to be stateful, maintaining state 
St[C*] across invocations. Importantly, C* is provided with the coin tosses of C; 
otherwise, C* would be functionally equivalent to the decryption algorithm and 
thus could not exist unless AS were insecure with regard to providing privacy. We 
remark that this formulation is stronger than one not involving a distinguisher 
D, in which C simply outputs a bit representing its guess, since C* gets the 
coins of C, but not the coins of D. 

PAO security considers only adversaries that make a single query in their 
attempt to determine if the oracle is a decryption oracle or an extractor. 
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Definition 3. [PA2] Let A£ = (/C, £, I?, MsgSp) be an asymmetric encryption 
scheme. Let C be an algorithm that has access to an oracle, takes as input a 
public key pk, and returns a string. Let P be an algorithm that takes a string 
and some state information, and returns a message and a new state. Let D be 
an algorithm that takes a string and returns a bit. Let C* be an algorithm 
that takes a string, a list of strings and some state information, and returns 
a message or the symbol _L, and a new state. We call C a ciphertext- creator 
adversary, P a plaintext- creator adversary, D a distinguisher, and C* a pa2- 
extractor. For fc G N, we define the experiments shown in Figure 3. It is required 
that, in these experiments, C not make a query (dec, C) for which C G Clist. 
The pa2-advantage of C relative to P, D and C* is 

^^^'AE,C,P,D,C*i^) ~ P*' [ ®^P(4£,C,P,d(^) ~ [ ®^P?4£,C,P,D,C* (^) ~ ’ 

We say that C* is a successful pa2- extractor for C if for every polynomial- 
time plaintext creator P and distinguisher D, the function c. (•) 

is negligible. We say A£ is PA2 secure if for any polynomial-time ciphertext 
creator there exists a successful polynomial-time pa2-extractor. | 

In the definition of PA2, the core setting of PAl is enhanced to model the 
real-life capability of a ciphertext creator to obtain ciphertexts via eavesdropping 
on communications made by a third party to the receiver (cf. [4]). Providing C 
with an encryption oracle does not capture this because eavesdropping puts into 
C’s hands ciphertexts of which it does not know the corresponding plaintext, 
and, although we disallow C to query these to its oracle, it might be able to 
use them to create other ciphertexts whose corresponding plaintext it does not 
know and on which the extractor fails. 

Modeling eavesdropping requires balancing two elements: providing C with a 
capability to obtain ciphertexts of plaintexts it does not know, yet capturing the 
fact that C might have partial information about the plaintexts, or control of 
the distribution from which these plaintexts are drawn. We introduce a compan- 
ion plaintext- creator adversary P who, upon receiving a communication from 
C, creates a plaintext and forwards it to an encryption oracle. The ciphertext 
emanating from the encryption oracle is sent to both C and C* . C has some 
control over P via its communication to P, but we ensure this is not total by 
denying C and C* the coin tosses of P, and also by asking that C* depend on 
C but not on P. 

The extractor C* is, as before, provided with the coin tosses of C. Two types 
of oracle queries are allowed to C. Via a query (dec, Q), it can ask its oracle to 
decrypt ciphertext Q. Alternatively, it can make a query (enc, Q) to call P with 
argument Q, upon which the latter computes a message M and forwards it to 
the encryption oracle, which returns the resulting ciphertext to C, and C* in the 
case that C’s oracle is C*. We observe that if an asymmetric encryption scheme 
is PA2 secure then it is PAl secure, and if it is PAl secure then it is PAO secure. 

See [2] for extensive comparisons of these definitions with previous ones, and 
also for stronger, statistical versions of these notions. 
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4 Relations Among Notions 

We now state the formal results corresponding to Figure 1, beginning with the 
two motivating applications of our notions of plaintext awareness. Proofs of these 
results are provided in the full version of this paper [2] . 

Theorem 1. [PAl+IND-CPA IND-CCAl] Let A£ he an asymmetric 
encryption scheme. If AS is PAl secure and IND-CPA secure, then it is IND- 
CCAl secure. I 

Theorem 2. [PA2+IND-CPA IND-CCA2] Let AS he an asymmetric 
encryption scheme. If AS is PA2 secure and IND-CPA secure, then it is IND- 
CCA2 secure. I 

Theorem 3. [IND-CCA2 A PAO+IND-CPA] Assume there exists an IND- 
CCA2-secure asymmetric encryption scheme. Then there exists an IND-CCA2- 
secure asymmetric encryption scheme that is not PAO secure. I 

Theorem 4. [PAl+IND-CPA A IND-CCA2] Assume there exists a PAl 
secure and IND-CPA-secure asymmetric encryption scheme. Then there exists 
a PAl secure and IND-CPA-secure asymmetric encryption scheme that is not 
IND-CCA2 secure. | 

Theorem 5. [PAO+IND-CPA A IND-CCAl] Assume there exists a PAO 
secure and IND-CPA-secure asymmetric encryption scheme. Then there exists 
a PAO secure and IND-CPA-secure asymmetric encryption scheme that is not 
IND-CCAl secure. | 



5 Constructions 

Prime-order groups. If p,q are primes such that p = 2<7 + 1, then we let 
Gq denote the subgroup of quadratic residues of Z*. Recall this is a cyclic sub- 
group of order q. If 5 is a generator of Gq then dlog^ ^(A) denotes the discrete 
logarithm of X € Gq to base g. A prime- order- group generator is a polynomial- 
time algorithm G that on input 1^ returns a triple {p, q, g) such that p, q are 
primes with p = 2 g + 1 , g is a generator of Gq, and 2 *“^ < p < 2^ {p is k bits 
long). 

The DHK assumptions. Let G be a prime-order-group generator, and suppose 
(p^Q^g) G [C(l^)j. We say that (A,B,W) is a DH-triple if there exist a, 6 G Zq 
such that A = g°- mod p, B = g^ mod p and W = g°'^ mod p. We say that {B, W) 
is a DH-pair relative to A if (A, B, W) is a DH-triple. One way for an adversary 
H taking input p,q,g,A to output a DH-pair (B,W) relative to A is to pick 
— and thus “know” — some h G Zq, set B = g^ mod p and W = A'^ mod p, and 
output {B, W). Damgard [12] makes an assumption which, informally, says that 
this is the “only” way that a polynomial-time adversary H can output a DH-pair 
relative to A. His framework to capture this requires that there exist a suitable 
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Experiment (fc) 

(P, <J, g) ^ G(l'“) ■, a A ^ g°^ mod p 

Choose coins R[H], R[H*] for H,H*, respectively; StlJf*] <— {{p,q,g,A),R[H]) 
Run H on input p, q, g, A and coins R[H] until it halts, replying to its oracle 
queries as follows: 

- If If makes query {B, W) then 

(fe, St[ff*]) ^ W), St[ff*]; R[H*]) 

If IT = (mod p) and B ^ g^ (mod p) then return 1 
Else return 6 to if as the reply Endlf Endlf 
Return 0 

Fig. 4. Experiment used to define the DHKl and DHKO assumptions 



extractor H* that can compute dlog^ g(^) whenever H outputs some DH-pair 
(B,W) relative to A. 

We provide a formalization of this assumption that we refer to as the DHKO 
(DHK stands for Diffie-Hellman Knowledge) assumption. We also present a nat- 
ural extension of this assumption that we refer to as DHKl. Here the adversary 
H, given p, q, g, A, interacts with the extractor, querying it adaptively. The ex- 
tractor is required to be able to return dlog,jg(i?) for each DH-pair (B,W) 
relative to A that is queried to it. Below we first present the DHKl assumption, 
and then define the DHKO assumption via this. 

Assumption 1. [DHKl] Let G be a prime-order-group generator. Let H be an 
algorithm that has access to an oracle, takes two primes and two group elements, 
and returns nothing. Let H* be an algorithm that takes a pair of group elements 
and some state information, and returns an exponent and a new state. We call H 
a dhkl- adversary and H* a dhkl- extractor. For fc S N we define the experiment 
shown in Figure 4. The dhkl- advantage of H relative to H* is 

E^Pg!h,h*(^) = 1 • 

We say that G satisfies the DHKl assumption if for every polynomial-time 
dhkl-adversary H there exists a polynomial-time dhk 1-extractor H* such that 
is negligible. | 

Assumption 2. [DHKO] Let G be a prime-order-group generator. We call a 
dhkl-adversary that makes exactly one oracle query a dhkO-adversary. We call 
a dhk 1-extractor for a dhkO-adversary a dhkO-extractor. We say that G satisfies 
the Diffie-Hellman Knowledge (DHKO) assumption if for every polynomial-time 
dhkO-adversary H there exists a polynomial-time dhkO-extractor H* such that 
is negligible. I 

We observe that DHKl implies DHKO in the sense that if a prime-order- 
group generator satisfies the former assumption then it also satisfies the latter 
assumption. 



AdvS^:^!^^^) = Pr 
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Algorithm 

{p,q,g)^G{C) 

*1 Zq ; Xi <— mod p 

a;2 Zq ; X2 <— g^"^ mod p 

Return {{p,g, g, Xi, X2), {p, q, g, xi,X2)) 


Algorithm £{{p, q, g, Xi, A2), M) 
y ^ Zq ; Y ^ gy mod p 
W XI mod p- P ^ X| mod p 
U ^ V ■ M mod p 
Return {Y, W, U) 


Algorithm V{(p, q, g, *1, *2), (T, W, U)) 

If W ^ (mod p) then return T 

Else M ^ U ■ p • Return M 

Endlf 


MsgSp((p,g, 5 ,Xi,X 2 )) = Gq 



Fig. 5. Algorithms of the encryption scheme DEG = (/C, £, T>, MsgSp) based on prime- 
order-gronp generator G 



Constructions. We would like to build an asymmetric encryption scheme that 
is PAO secure (and IND-CPA secure) under the DHKO assumption. An obvious 
idea is to use ElGamal encryption. Here the public key is X = , where x is the 

secret key, and an encryption of message M G Gq has the form (Y,U), where 
Y = gy mod p and U = ■ M mod p = g^^^ ■ M mod p. However, we do not 

know whether this scheme is PAO secure. 

We consider a modification of the ElGamal scheme that was proposed by 
Damgard [12]. We call this scheme Damgdrd ElGamal or DEG. It is parameter- 
ized by a prime-order group generator G, and its components are depicted in 
Figure 5. The proof of the following is in the full version of this paper [2]: 

Theorem 6. Let G he a prime- order- group generator and let DEG = {IC,£, 
T>, MsgSp) be the associated Damgdrd ElGamal asymmetric encryption scheme 
defined in Figure 5. If G satisfies the DHKO and DDE assumptions then DEG 
is PAO-I-IND-CPA secure. If G satisfies the DHKl and DDH assumptions then 
DEG is PAl+IND-CPA secure. | 

As a consequence of the above and Theorem 1, DEG is IND-GGAl secure 
under the DHKl and DDH assumptions. DEG is in fact the most efficient known 
IND-GGAl scheme with some proof of security in the standard model. 

Next we consider the “lite” version of the Gramer-Shoup asymmetric encryp- 
tion scheme [11]. The scheme, denoted GS-lite, is parameterized by a prime-order 
group generator G, and its components are depicted in Figure 6. This scheme is 
known to be IND-GGAl secure under the DDH assumption [11]. We are able to 
show the following. The proof can be found in [2]. 

Theorem 7. Let G he a prime- order- group generator, and let GS-lite = (IC,£, 
V, MsgSp) he the associated Cramer-Shoup lite asymmetric encryption scheme 
defined in Figure 6. If G satisfies the DHKO and DDH assumptions then GS-lite 
is PAO-I-IND-CPA secure. If G satisfies the DHKl and DDH assumptions then 
GS-lite is PAl+IND-CPA secure. I 
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Algorithm IC{1^) 

xi ^ Zg ; X 2 ^ ; z ^ Zq 

X ^ ■ 92 ^ mod p ; Z ^ g{ mod p 

Return {{p, q, gi, 92 , X, Z), {p, q, gi, g 2 ,xi,X 2 , z)) 


Algorithm £{{p, q, gi, 92 , X, Z),M) 

* ^ 
r 

Ri ^ 9 i mod p 
R 2 <— 92 mod p 
E^ Z^ ■ M mod p 
V X^ mod p 
Return {Ri, R 2 , E,V) 


Algorithm V{{p,q, gi, 92 , xi,X 2 , z), (Ri,i? 2 , E, V)) 
If U ^ (mod p) then return T 

Else M ^ E ■ mod p ; Return M Endlf 


MsgSp((p,g,pi,p 2 , Y, Z)) = Gq 



Fig. 6. Algorithms of the encryption scheme CS-lite = (/C, £, T>, MsgSp) based on 
prime-order-group generator G 



Again, the above and Theorem 1 imply that CS-lite is IND-CCAl secure 
under the DHKl and DDH assumptions. This however is not news, since we 
already know that DDH alone suffices to prove it IND-CCAl [11]. However, 
it does perhaps provide a new perspective on why the scheme is IND-CCAl, 
namely that this is due to its possessing some form of plaintext awareness. 

In summary, we have been able to show that plaintext awareness without 
ROs is efficiently achievable, even though under very strong and non-standard 
assumptions. 
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Abstract. The OAEP construction is already 10 years old and well- 
established in many practical applications. But after some doubts about 
its actual security level, four years ago, the first efficient and provably 
IND-CCAl secure encryption padding was formally and fully proven to 
achieve the expected IND-CCA2 security level, when used with any trap- 
door permutation. Even if it requires the partial-domain one-wayness 
of the permutation, for the main application (with the RSA permuta- 
tion family) this intractability assumption is equivalent to the classical 
(full-domain) one-wayness, but at the cost of an extra quadratic-time 
reduction. The security proof which was already not very tight to the 
RSA problem Is thus much worse. 

However, the practical optimality of the OAEP construction is two- 
fold, hence its attractivity: from the efficiency point of view because of 
two extra hashings only, and from the length point of view since the 
ciphertext has a minimal bit-length (the encoding of an image by the 
permutation.) But the bandwidth (or the ratio ciphertext /plaintext) is 
not optimal because of the randomness (required by the semantic secu- 
rity) and the redundancy (required by the plaintext-awareness, the sole 
way known to provide efficient CCA2 schemes.) 

At last Asiacrypt ’03, the latter intuition had been broken by exhibit- 
ing the first IND-CCA2 secure encryption schemes without redundancy, 
and namely without achieving plaintext-awareness, while in the random- 
oracle model: the OAEP 3-round construction. But this result achieved 
only similar practical properties as the original OAEP construction: the 
security relies on the partial-domain one-wayness, and needs a trapdoor 
permutation, which limits the application to RSA, with still a quite bad 
reduction. 

This paper improves this result: first we show the OAEP 3-round ac- 
tually relies on the (full-domain) one-wayness of the permutation (which 
improves the reduction), then we extend the application to a larger class 
of encryption primitives (including ElGamal, Paillier, etc.) The extended 
security result is still in the random-oracle model, and in a relaxed CCA2 
model (which lies between the original one and the replayable CCA sce- 
nario.) 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 63-77, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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1 Introduction 

The OAEP construction [4, 12, 13] is now well-known and widely used, since 
it is an efficient and secure padding. However, the latter property had been 
recently called into question: indeed, contrarily to the widely admitted result, 
the security cannot be based on the sole one-wayness of the permutation [28], 
but the partial-domain one-wayness [12,13]. For an application to RSA, the 
main trapdoor one-way permutation, the two problems are equivalent, but the 
security reduction is much worse than believed, because of a quadratic reduction 
between the two above problems. 

There is also a second drawback of the OAEP construction, since its use is 
limited to permutations. It can definitely not apply to any function, as tried and 
failed on the NTRU primitive [15]. 

Finally, the optimality, as claimed in the name of the construction, is ambigu- 
ous and not clear: from the efficiency point of view, the extra cost for encryption 
and decryption is just two more hashings which is indeed quite good. But the 
most important optimality was certainly from the length point of view: the ci- 
phertext is just an image by the permutation, and thus the shortest as possible. 
However, another important parameter is the bandwidth, or the ratio cipher- 
text/plaintext, which is not optimal: the construction requires a randomness 
over 2k bits for a semantic security in 2“*, and redundancy over k bits for pre- 
venting chosen-ciphertext attacks (plaintext-awareness): the ciphertext is thus 
at least 3k bits as large as the plaintext. 

1.1 Related Work 

Right after the Shoup’s remark about the security of OAEP [28], several alter- 
natives to OAEP have been proposed: OAEP-I- (by Shoup himself) and SAEP, 
SAEP-I- (by Boneh [6]) but either the bandwidth, or the reduction cost remain 
pretty bad. Furthermore, their use was still limited to permutations. 

About generic paddings applicable to more general encryption primitives, 
one had to wait five years after the OAEP proposal to see the first efficient 
suggestions: Fujisaki-Okamoto [10, 11] proposed the first constructions, then 
Pointcheval [23] suggested one, and eventually Okamoto-Pointcheval [18] in- 
troduced the most efficient construction, called REACT. However, all these 
proposals are far to be optimal for the ciphertext size. They indeed apply, 
in the random-oracle model, the general approach of symmetric and asym- 
metric components integration [27]: an ephemeral key is first encrypted using 
key-encapsulation, then this key is used on the plaintext with a symmetric en- 
cryption scheme (which is either already secure against chosen-ciphertext at- 
tacks, or made so by appending a MAC - or a tag with a random oracle, for 
achieving plaintext-awareness.) 

Plaintext-awareness [4, 3] was indeed the essential ingredient to achieve I N D- 
CCA2 security in the random-oracle model: it makes the simulation of the de- 
cryption oracle quite easy, by rejecting almost all the decryption queries, unless 
the plaintext is clearly known. But this property reduces the bandwidth since 
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“unnecessary” redundancy is introduced. Randomness is required for the seman- 
tic security, but this is the sole mandatory extra data for constructing a secure 
ciphertext. At last Asiacrypt [21], the first encryption schemes with just such a 
randomness, but no redundancy, has been proposed: plaintext-awareness is no 
longer achieved, since any ciphertext is valid and corresponds to a plaintext. But 
this does not exclude the IND-CCA2 security level. In that paper [21], we indeed 
proved that an extension of OAEP, with 3 rounds but without redundancy, pro- 
vides an IND-CCA2 secure encryption scheme, with any trapdoor permutation, 
but again under the partial-domain one-wayness. Hence a bad security reduction. 

Note 1. The classical OAEP [4] construction can be seen as a 2-round Feistel 
network, while our proposal [21] was a 3-round network, hence the name OAEP 
3-round. By the way, one should notice that SAEP [6] can be seen as a 1-round 
Feistel network. 

1.2 Achievements 

In this paper, we address the two above problems: the bad security reduction of 
the OAEP constructions, because of the need of the intractability of the partial- 
domain one-wayness; and the restriction to permutations. 

First, we show that, contrarily to the OAEP (2-round) construction which 
cannot rely on the (full-domain) one-wayness, the OAEP 3-round simply requires 
the (full-domain) one-wayness: because of the third round, the adversary looses 
any control on the r value. It is not able to make ciphertexts with the same r, 
without querying it. 

Then, we extend the application of OAEP 3-round to a larger class of encryp- 
tion primitives: it applies to any efficiently computable probabilistic injection 
/ : E X R ^ F, which maps any a; G E into F in a probabilistic way according 
to the random string p G R. We need this function to be one-way: given j/ G F, 
it must be hard to recover x G E (we do not mind about the random string 
p); this probabilistic function also needs to satisfy uniformity properties which 
are implied by a simple requirement: / is a bijection from E x R onto F. Some 
additional restrictions will appear in the security proof: 

~ we cannot really consider the CCA2 scenario, but a relaxed one denoted 
RCCA, which is between the usual one and the replayable CCA2 introduced 
last year [7] and considered enough in many applications. 

— the simulation will need a decisional oracle which checks whether two ele- 
ments in F have the same pre-images in E. The security result will thus be 
related to the well-known gap-problems [19, 18]. 

This extension allows almost optimal bandwidths for many very efficient 
asymmetric encryption schemes, with an IND-RCCA security level related to gap- 
problems (e.g. an ElGamal variant related to the Gap Diffie-Hellman problem.) 
Note that the application to trapdoor one-way permutations like RSA results 
in a much more efficient security result, and provides an IND-CCA2 encryption 
scheme under the sole one-wayness intractability assumption. 
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This paper is then organized as follows: in the next section, we review the 
classical security model for asymmetric encryption, and present our new CCA- 
variant. In section 3, we present the OAEP 3-round construction for any prob- 
abilistic injection, with some concrete applications. The security result is pre- 
sented and proven in section 4. 



2 Security Model 

In this section, we review the security model widely admitted for asymmetric 
encryption. Then, we consider some relaxed CCA-variants. First, let us briefly 
remind that a public- key encryption scheme S is defined by three algorithms: 
the key generation algorithm which produces a pair of matching public 

and private keys (pk,sk); the encryption algorithm Spk{m;r) which outputs a 
ciphertext c corresponding to the plaintext m G A4, using random coins r G TZ; 
and the decryption algorithm 2?sk(c) which outputs the plaintext m associated 
to the ciphertext c. 



2.1 Classical Security Notions 

Beyond one-wayness, which is the basic security level for an encryption scheme, 
it is now well-admitted to require semantic security {a.k.a. polynomial security 
or indistinguishability of encryptions [14], denoted IND): if the attacker has some 
a priori information about the plaintext, it should not learn more with the view 
of the ciphertext. More formally, this security notion requires the computational 
indistinguishability between two messages, chosen by the adversary, one of which 
has been encrypted, which one has been actually encrypted with a probability 
significantly better than one half: the advantage Adv 5 '^(M), where the adversary 
A is seen as a 2-stage Turing machine {Ai,A 2 ), should be negligible, where 
Adv 5 '^(M) is formally defined as 



2 X Pr 



(pk,sk) ^ /C(l'=), (too,toi,s) ^ Ai(pk), 

R 

b ^ {0, 1}, c = £pk{mb) : ^ 2 ( 771 - 0 , mi, s, c) = 5 



- 1 . 



Stronger security notions have also been defined thereafter (namely the non- 
malleability [8]), but we won’t deal with it since it is similar to the semantic 
security in several scenarios [3,5]. 

On the other hand, an attacker can use many kinds of attacks, according 
to the available information: since we are considering asymmetric encryption, 
the adversary can encrypt any plaintext of its choice with the public key, hence 
the basic chosen-plaintext attack. But the strongest attack is definitely when 
the adversary has an unlimited access to the decryption oracle itself, adaptive 
chosen- ciphertext attacks [25], denoted CCA or CCA2 (by opposition to the earlier 
lunchtime attacks [17], denoted CCAl, where this oracle access is limited until 
the challenge is known.) From now, we simply use CCA instead of CCA2 since 
we focus on adaptive adversaries. 




OAEP 3-Round: A Generic and Secure Asymmetric Encryption Padding 



67 



The strongest security notion that we now widely consider is the semantic 
security against adaptive chosen-ciphertext attacks denoted IND-CCA — where 
the adversary just wants to distinguish which plaintext, between two messages 
of its choice, had been encrypted; it can ask any query to a decryption oracle 
(except the challenge ciphertext). 

2.2 Relaxed CCA-Security 

First, at Eurocrypt ’02, An et al [1] proposed a “generalized CCA” security notion, 
where the adversary is restricted not to ask, to the decryption oracle, ciphertexts 
which are in relation with the challenge ciphertext. This relation must be an equiv- 
alence relation, publicly and efficiently computable, and decryption-respecting: if 
two ciphertexts are in relation, they necessarily encrypt identical plaintexts. This 
relaxation was needed in that paper, so that extra bits in the ciphertext, which can 
be easily added or suppressed, should not make the scheme theoretical insecure, 
while its security is clearly the same from a practical point of view. 

More recently, another relaxation (an extra one beyond the above one) has 
been proposed by Canetti et al [7]: informally, it extends the above relation 
to the (possibly non-computable) equality of plaintexts. More precisely, if the 
adversary asks for a ciphertext c to the decryption oracle, c is first decrypted 
into m. Then, if m is one of the two plaintexts output in the first stage by the 
adversary, the decryption oracle returns test, otherwise the actual plaintext m is 
returned. They called this variant the “replayable CCA” security. They explain 
that this security level, while clearly weaker than the usual CCA one, is enough 
in most of the practical applications. The classical CCA security level is indeed 
very strong, too strong for the same reasons as explained above for the first 
relaxation. 

In this paper, we could work with the latter relaxation, the “replayable CCA” 
scenario. But for a simpler security proof, as well as a more precise security result 
(with nice corollaries for particular cases, such as the RSA one) we restrict it 
a little bit into the “relaxed CCA” scenario, denoted RCCA. A scheme which 
is secure in this scenario is trivially secure in the “replayable CCA” one, but 
not necessarily in the “generalized CCA” or the usual CCA scenario. The actual 
relations between these scenarios depend on the way the random string is split. In 
the formal notation of the encryption algorithm, we indeed split the randomness 
in two parts r and p: c = £pk(m; r, p). The encryption algorithm is thus a function 
from Al X 7^ X R into the ciphertext set. We know that for being an encryption 
scheme, this function must be an injection with respect to M (several elements in 
M X X R can map to the same ciphertext, but all these elements must project 
uniquely on M: the plaintext.) In our new relaxation, we split the randomness 
in 7^ X R so that this function is also an injection with respect to Af x 7?.. 

Let us assume that the challenge ciphertext is c* = £p\^{m*; r* , p*). Let us con- 
sider the ciphertext c = £pk(m;r, p). According to the above comment, {m*,r*) 
and (to, r) are uniquely defined from c* and c respectively, while p* and p may not 
be unique. Upon receiving c, the relaxed decryption oracle first checks whether 
(rn*,r*) = (m,r) in which case it outputs test. Otherwise, it outputs to. 
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Definition 2 (Relaxed CCA). In the “relaxed CCA” scenario, an adversary 
has an unlimited access to the relaxed decryption oracle. 

Property 3. Security in the “relaxed CCA” scenario implies security in the “re- 
playable CCA” one. 

Proof. As already noticed, this is a trivial relation, since the decryption oracle in 
the latter scenario can be easily simulated by the relaxed decryption oracle: if its 
output is test, this value is forwarded, else the returned plaintext m is compared 
to the output of the adversary at the end of the first stage. According to the 
result of the comparison, either a test-answer is also given (if m G {mo,mi}), 
or TO. 

This property was just to make clear that we do not relax more the CCA 
security, but still keep it beyond what is clearly acceptable for practical use. 
Namely, note that if R is the empty set, then the RCCA scenario is exactly the 
usual CCA one: if / is a permutation from E onto F (the RSA case.) 



3 OAEP 3-Round: A General and Efficient Padding 

3.1 The Basic Primitive 

Our goal is to prove that OAEP 3-round can be used with a large class of 
one-way functions. More precisely, we need an injective prohahilistic trapdoor 
one-way function family (v?pk)pk from a set Epk to a set Fpk, respectively to the 
index pk: almost any encryption primitive, where the plaintext set is denoted 
Epk and the ciphertext set is denoted Fpk, is fine: for any parameter pk (the 
public key), there exists the inverse function ^psk (where sk is the private key) 
which returns the pre-image in Ep^. An injective probabilistic trapdoor one-way 
function / from E to F is actually a function / : E x R ^ F, which takes 
as input a pair (x,p) and outputs y € F. The element x lies in E and is the 
important input, p is the random string in R which makes the function to be 
probabilistic. Injectivity means that for any y there is at most one x (but maybe 
several p) such that y = f{x,p). The function g which on input y outputs x is 
the inverse of the probabilistic function /. Clearly, we need the function / to be 
efficiently computable, but the one-wayness means that computing the unique x 
(if it exists) such that y = f(x, p) is intractable (unless one knows the trapdoor 
g.) These are the basic requirement for an asymmetric encryption primitive. But 
for our construction to work, we need two additional properties: 

— the function / :ExR^Fisa bijection; 

— without knowing the trapdoor, it is intractable to invert / in E, even for 
an adversary which has access to the decisional oracle Sstm&f{y,y') which 
answers whether g{y) = g{y'). 

The latter property is exactly the “gap problem” notion, which is defined 
by the following success probability Succ^'^{t,q), for any adversary A whose 
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running time is limited by t, and the number of queries to the decisional oracle 
Samey is upper-bounded by q: 

Succf ''(t, q) = mpc{x E, p R, y = f{x, p) : (y) = x}. 

For a family of functions, this success probability includes the random choice 
of the keys in the probability space, and assumes the inputs randomly drawn 
from the appropriate sets, hence the notation Succ®^'^(t, g) for a family (ppk)pk- 

3.2 Examples 

Let us see whether the two above additional properties are restrictive or not in 
practice: 

~ The first example is clearly the RSA permutation [26], where for a given 
public key pk = (n, e), the sets are E = F = Z* and R is the empty set. Then, 
this is clearly an injective (but deterministic) function, which is furthermore 
a bijection. Because of the determinism, the decisional oracle Same(j/,y') 
simply checks whether y = y': the gap problem is thus the classical RSA 
problem. 

— The goal of our extension of OAEP is to apply it to the famous ElGamal 
encryption [9] in a cyclic group G of order g, generated by g. Given a public 
key pk = ?/ G G, the sets are E = G, R = Z^ and F = G x G: (py{x,p) = 
{gP , X X yP), which is a probabilistic injection from E onto F, and a bijection 
from E X R onto F. About the decisional oracle, it should check, on inputs 
(a = gP , b = X X yP) and {a! = gP ,b' = x' x yP ), whether x = x', which 
is equivalent to decide whether {g,y,a'/a = gP~P,b'/b = (x'/x) x yP ~p) 
is a Diffie-Hellman quadruple: the gap problem is thus the well-known Gap 
Diffie-Hellman problem [18, 19]. 

— One can easily see that the Paillier’s encryption [20] also fits this formalism. 



3.3 Description of OAEP 3-Round 

Notations and Common Parameters. For a simpler presentation, and an 
easy to read analysis, we focus on the case where E = {0, 1}” (is a binary set). 
A similar analysis as in [21] could be performed to deal with more general sets. 
On the other hand, any function can be mapped into this formalism at some low 
cost [2]. 

The encryption and decryption algorithms use three hash functions: T, Q, 
Ti (assumed to behave like random oracles in the security analysis) where the 
security parameters satisfy n = k + £: 

.F: {0,1}'= ^ {0,1}^ 5 : {0,1}^ ^{0,1}'= : (0, 1}'= ^ (0, 1}^. 

The encryption scheme uses any probabilistic injection family (v3pk)pk, whose 
inverses are respectively denoted ipsk, where sk is the private key associated to 
the public key pk. The symbol “|j” denotes the bit-string concatenation and 
identifies (0, 1}'= x (0, 1}^ to (0, 1}”. 
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Encryption Algorithm. The space of the plaintexts is At = {0, 1}^, the en- 
cryption algorithm uses random coins, from two distinct sets r G TZ = {0, 1}^ 
and p G R, and outputs a ciphertext c into F: on a plaintext m G Ai, one 
computes 

s = m(BA{r) t = r(BG{s) u = s(B'H{t) c = (ppw{t\\u, p). 

Decryption Algorithm. On a ciphertext c, one first computes t\\u = 'ipswic), 
where t G {0, 1}^ and u G {0, 1}^, and then 

s = u(B'H{t) r = t(BG{s) m = s(BZF{r). 



4 Security Result 



In this section, we state and prove the security of this construction. A sketch 
is provided in the body of the paper, the full proof can be found in the full 
version [22]. 



Theorem 4. Let A he an IND-RCCA adversary against the OAEP 3-round con- 
struction with any trapdoor one-way probabilistic function family (<Ppk)pk, within 
time T. Let us assume that after qp, qg, qu and qa queries to the random oracles 
T , G and H, and the decryption oracle respectively, its advantage AdVoggpT“(r) 
is greater than e. Then, Succ^'^ {t' , q,i{qgqh -\- qd)) is upper-hounded by 





{Md + 1) X 




- X 



g/ + l 

2k ’ 



with t' < T -\- {qf -\- qg -\- qh + qd)Tin + 9d^Same + {qd + l)qgqh{Tg, -G Tsame), where 
Tg, is the time complexity for evaluating any function <Ppk, Tsame is the time for 
the decisional oracle Same,^p^ to give its answer, and Ti^ is the time complexity 
for a look up in a list. 



4.1 Trapdoor Permutations 

Before proving this general result, let us consider the particular case where Ppk is 
a permutation from E onto F (i.e., a deterministic function.) The general result 
has indeed several drawbacks: 

~ the reduction cost introduces a cubic factor qdqgqh which implies larger keys 
for achieving a similar security level as for some other constructions; 

— the security relies on a gap problem, which is a strong assumption in many 
cases; 

— and we cannot achieve the usual IND-CCA security level. 

These drawbacks are acceptable as the price of generality: this becomes one 
of the best padding for ElGamal or Paillier strongly secure variants. However, 
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for trapdoor permutations, such as RSA, several OAEP variants achieve much 
better efficiency. 

But one should interpret the above result in this particular case: first, the 
gap-problem becomes the classical one-wayness, since the decisional oracle is 
simply the equality test; Furthermore, the RCCA scenario becomes the classical 
CCA one; Finally, because of the determinism of the permutation, with proper 
bookkeeping, one can avoid the cubic factor, and fall back to the usual quadratic 
factor qgqh, as for any OAEP-like constructions (OAEP-I-, SAEP and SAEP-I-). 
Then, one can claim a much better security result: 

Theorem 5. Let A he an IND-CCA adversary against the OAEP 3-round con- 
struction with a trapdoor one-way permutation family (v3pk)pk; within time t. Let 
us assume that after qf, qg, qu and qd queries to the random oracles T , Q and 
H, and the decryption oracle respectively, its advantage AdvQ 3 gp'L“(r) is greater 
than e. Then, Succ°“(r') is upper-hounded hy 





(4gd -I- 1) X ^|| 




- X 



g/ + l 

2k ’ 



with t' < T -\- {qf -\- qg -\- qh + qd)Tiu + qgqhTip, where Tg, is the time complexity 
for evaluating any function ippk and Tiu is the time complexity for a look up in 
a list. 



4.2 Sketch of the Proof 

The proof is very similar to the one in [21], but the larger class (injective proba- 
bilistic functions), and the improved security result (relative to the one-wayness) 
make some points more intricate: for a permutation /, each value x maps to a 
unique image y = f{x); whereas for a function /, each value x maps to several 
images y = f{x,p), according to the random string p. Consequently, when used 
as an asymmetric encryption primitive, the adversary may have the ability to 
build another y' whose pre-image is identical to the one oi y. x = g{y) = g{y')- 
Such a query to the decryption oracle is not excluded in the CCA scenario, while 
we may not be able to either detect or answer. Hence the relaxed version of 
chosen-ciphertext security, and the decisional oracle Samey: the latter helps to 
detect ciphertexts with identical pre-images, the relaxed scenario gives the abil- 
ity to answer test in this case. Granted the decisional oracle Same/, we can also 
detect whether a decryption query c has the same pre-image as a previous de- 
cryption query d in which case we output the same plaintext. If it is a really new 
ciphertext, by using again the decisional oracle Same/, we can check whether s 
and t have both been asked to Q and TL, respectively, which immediately leads 
to the plaintext m. In the negative case, a random plaintext can be safely 
returned. 



4.3 More Details 

The full proof can be found in the full version [22] , but here are the main steps, 
since the proof goes by successive games in order to show that the above decryp- 
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tion simulation is almost indistinguishable for the adversary. Then, a successful 
IND-RCCA adversary can be easily used for inverting the one-way function. 

Gq: We first start from the real IND-RCCA attack game. 

G 1 -G 2 : We then simulate the view of the adversary, first, as usual with lists for 
the random oracles and the decryption oracle (see figures 1 and 2.) 
We then modify the generation of the challenge ciphertext, using a 
random mask /*, totally independent of the view of the adversary: 
the advantage of any adversary is then clearly zero. The plaintext 
is indeed unconditionally hidden. 

The only way for any adversary to detect this simulation is to ask T{r*) and 
then detect that the answer differs from any possible /*. We are thus interested 
in this event, termed AskF, which denotes the event that r* is asked to T . 

The main difference with the OAEP 2-round construction, as shown by Shoup 
with his counter-example [28], is that here an adversary cannot make another 
ciphertext with the same r as r*, in the challenge ciphertext, but either by 
chance, or if it had asked for both G{s*) and We now try to show this 

fact. 

Gs-Gg: We thus modify the decryption process so that it makes no new query 
to Q and Ti.. The sequence of games leads to the following new rules: 

► Rule Decrypt-noT^®) 

Choose m {0, 1}^. 

► Rule Decrypt-TnoS^®^ 

Choose m {0, 1}^. 

► Rule Decrypt-TSnoR^®^ 

If s = s* but s* has not been directly asked by the adversary 
yet: m ^ {0, 1}^. 

Else, one chooses m ^ {0,1}^, computes / = m 0 s and 
adds (r, /) in IF-List. 

► Rule EvalGAdd(®) 

For each (t, h) G 7f-List and each (to, c) G T>-List, choose an 
arbitrary random p G R and ask for (c, c' = (ppk{t\\h 0 s, p)) 
to the decisional oracle Same,^p^. If the record is found (the 
decisional oracle Same^p^ answers “yes”)i we compute r = 
t(Bg and / = to 0 s, and finally add (r, /) in IF-List. 

Some bad cases may appear, which make our simulation to fail. But 
they are very unlikely, we thus can safely cancel executions, applying 
the following rule 




T> Oracle T, Q and Ti. Oracles 
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Query ^(r): if a record (r, /) appears in JE-List, the answer is /. 

Otherwise the answer / is chosen randomly in {0, 1}*^ and the record (r, /) is 
added in JF-List. 

Query Q{s): if a record (s,g) appears in 5-List, the answer is g. 

Otherwise the answer g is chosen randomly in {0, 1}^ and the record (s,g) is 
added in 5-List. 

► Rule EvalGAdd^i^ 

Do nothing ’/, To be defined later 

Query if a record {t, h) appears in 7f-List, the answer is h. 

Otherwise the answer h is chosen randomly in {0, 1}*^ and the record (t, h) is 
added in 7f-List. 

Query 2?sk(c): first, if we are in the second stage (the challenge c* as been 
defined), ask for (c, c*) to the decisional oracle In case of positive 

decision, the answer is test. 

Else, for each {m' , c') in D-List, ask for (c, c') to the decisional oracle Same^^p^. 
In case of a positive decision, the answer is the corresponding'm'. 

Otherwise, the answer m is defined according to the following rules: 

► Rule Decrypt-lnit^^^ 

Compute t\\u = ipsk{c)', 

Look up for (t, h) € 7f-List: 

— if the record is found, compute s = u® h. 

Look up for [s,g) € 5-List: 

• if the record is found, compute r = t® g. 

Look up for (r, /) € JE-List: 

* if the record is found 

► Rule Decrypt-TSR^^^ 

h = H{t), 

s = u® h, g = 0(s), 
r = t®g, f = T{r), 
m = s® f. 

* else 

► Rule Decrypt-TSnoR^^^ 

I same as rule Decrypt-TSR^^\ 

• else 

► Rule Decrypt-TnoS^^^ 

I same as rule Decrypt-TSR^'^^ 

- else 

► Rule Decrypt-noT^^^ 

I same as rule Decrypt-TSR^^^ . 

Answer m and add (m, c) to D-List. 

Fig. 1. Eormal Simulation of the IND-RCCA Game: Oracles 






74 



D.H. Phan and D. Pointcheval 





For two messages (mo, mi), flip a coin b and set m* = m(,, choose randomly 


bJO 


r* then 


answer c* where 


lb 


► Rule Chal*-^^ 


-a 

O 




r=j^(r*), s*=m*©r, 






g* = G{s*), t*=r*®g*, 






h*=H{t*), u* = s*®h*. 




► Rule ChalC'^^ 






and c* = <Ppk{t*\\u* , p*), for random string p* . 



Fig. 2. Formal Simulation of the IND-RCCA Game: Challenger 



► Rule Abort(i) 

Abort and output a random bit: 

— If s* has been asked to Q by the adversary, while the 
latter did not ask for 

— If a Decrypt-TSR/Decrypt-TSnoR rule has been applied 
with t = t* , while had not been asked by the 

adversary yet. 

— If a Decrypt-TSR rule has been applied with s = s*, while 
G(s*) had not been asked by the adversary yet. 

The remaining bad case (termed AskGHA) is if both s* and t* have 
been asked to Q and 7i by the adversary. Such a case helps the adversary 
to distinguish our simulation. On the other hand, this case helps to 
invert (ppk. 

Gg: With these new rules for decryption, the simulation of the decryption 
oracle does not use at all the queries previously asked to Q and by 
the generation of the challenge, but just the queries directly asked by 
the adversary, which are available to the simulator (we remind that we 
are in the random-oracle model.) One can thus make g* and h* to be 
values independent to the view of the adversary: 

► Rule ChaK®^ 

The two values r'*' {0, 1}* and /■*■ {0, 1}^ are given, 

as well as {0,1}^ and /i+ {0,1}^ then r* = r+, 

/* = /+, s* = m* 0 /+, g* = g+, t* = r+ 0 g*, h* = h+ 
and M* = s* 0 h*. 

And then the decryption oracle can be simply replaced by the classical 
plaintext-extractor which looks up in the lists ^-List and 7f-List (which 
only contain the queries directly asked by the adversary) to obtain the 
values (s, g) and (t, h) which match with c = :^pk(t||s 0 h, p), using the 
decisional oracle Same^^^, but without using anymore tpsk- In case of 
failure, one answers a random plaintext m. 





OAEP 3-Round: A Generic and Secure Asymmetric Encryption Padding 



75 



We simply conclude, since our reduction does not use any oracle, but 
can answer any query of the adversary, in an indistinguishable way, 
unless the bad case AskGHA happens: in which case we have inverted 

<7’sk- 

The time complexity of one simulation is thus upper-bounded by qgqn x 
(T^p + Tsame)) where is the time to evaluate one function in the (p family, and 
Tsame the time for the decisional oracle, plus the initial look up in the P-List: 
Tiu + qdTsame- Thus the global running time is bounded by (including all the list 
look up): 

^ ^ ^ qdqgqh X -t- ifsame) qd X -^Same (^/ qg qh X Ti^, 

In the particular case where (^pk is a permutation from E onto F (a deter- 
ministic one), one can improve it, using an extra list of size qgqh, which stores 
all the tuples {s,g = Q{s),t,h = = (/?pk(t||s0 h)). The time complexity 

then falls down to t -I- qgqh x + {qf + qg + qh + qd) x Tiu- 

5 Conclusion 

All the OAEP variants [28,6] applied to RSA, with general exponents (i.e., not 
Rabin nor e = 3) admit, in the best cases, reductions to the RSA problem with a 
quadratic loss in time complexity [24] - the original OAEP is even worst because 
of the reduction to the partial-domain case, which requires a more time consum- 
ing reduction to the full-domain RSA problem. Furthermore, for a security level 
in 2“^, a randomness of 2k bits is required, plus a redundancy of k bits. 

In this paper, we show that the variant of OAEP with 3 rounds admits a 
reduction as efficient as the best OAEP variants (to the full-domain RSA, when 
applied to the RSA family) without having to add redundancy: one can thus 
earn k bits. But this is not the main advantage. 

Considering any criteria, OAEP with 3 rounds is at least as good as all the 
other OAEP variants, but from a more practical point of view 

— since no redundancy is required, implementation becomes easier, namely for 
the decryption process [16]; 

— it applies to more general families than just (partial-domain) one-way trap- 
door permutations, but to any probabilistic trapdoor one-way function. It is 
thus safer to use it with a new primitive [15]. 

As a conclusion, OAEP with 3 round is definitely the most generic and the 
simplest padding to use with almost all the encryption primitives. 
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Secret key cryptography was traditionally divided into block ciphers and stream 
ciphers, but over the last 30 years the balance had steadily shifted, and today 
stream ciphers have become an endangered species. In this talk I’ll survey the 
current state of the art in stream ciphers: who needs them, who uses them, how 
they are attacked, and how they can be protected by new types of constructions. 
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Abstract. In this paper we introduce the concept of generalized lin- 
ear equivalence between functions defined over finite fields; this can be 
seen as an extension of the classical criterion of linear equivalence, and 
it is obtained by means of a particular geometric representation of the 
functions. After giving the basic definitions, we prove that the known 
equivalence relations can be seen as particular cases of the proposed 
generalized relationship and that there exist functions that are gener- 
ally linearly equivalent but are not such in the classical theory. We also 
prove that the distributions of values in the Difference Distribution Table 
(DDT) and in the Linear Approximation Table (LAT) are invariants of 
the new transformation; this gives us the possibility to find some Almost 
Perfect Nonlinear (APN) functions that are not linearly equivalent (in 
the classical sense) to power functions, and to treat them accordingly to 
the new formulation of the equivalence criterion. This answers a question 
posed in [8]. 

Keywords: Boolean functions, linear equivalence, differential cryptanal- 
ysis, linear cryptanalysis, APN functions, S-boxes. 



1 Introduction 

The design criteria for symmetric key algorithms can be traced back to the work 
of Shannon [18], where the concepts of confusion and diffusion are formalized. 
Today, a significant number of block ciphers are built by alternating nonlinear 
substitution layers with linear diffusion layers, in the so called Substitution- 
Permutation Networks (SPNs). It has been proved that the usage of sufficiently 
strong substitution functions, or S-boxes, leads to construction of strong block 
ciphers, see for instance the Wide-Trail design technique [6]. The strength of 
each S-box is often measured by means of the resistance to differential [4] and 
linear [14], [3] cryptanalysis. 

For a given function / : Fpm —>■ Fpn with p prime and m, n > 1 we can build 
the DDT by computing the number 6f{a,b) of solutions x of the equation 

f{x + a) - f{x) = b a&Fpm,b&Fpn (1) 

The lower the value of the maximum entry in the table, Aj = maxa^o.b{df{a, b)), 
the more robust function / is versus differential cryptanalysis. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 79-91, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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In a similar way, we can construct the LAT of / by counting the number 
A/ (a, b) of solutions x of the equation 

au X = b • f{x) a G b G Fp^ (2) 

where the inner product is indicated with • and gives a value in Fp. The ro- 
bustness to linear cryptanalysis is measured with the maximum value Af = 
maxa,f,5<4o(||A/(a, &) — Good S-boxes have both small Aj and Aj values, 
and usually have a complex algebraic expression; most of the results focus on 
the case p = 2 which is of interest for practical applications. 

Two functions are said to be equivalent if they differ by a group operation on 
the input or output variables; Lorens [12] and Harrison [10], [11] have considered 
the special case of invertible n-bit vectorial Boolean functions and have derived 
the exact number of equivalence classes (along with asymptotic estimates) for 
n < 5 when different transformations such as complementation, permutation, 
linear and affine transformations are applied on the input and output bits. Sim- 
ilar results can be found in [1],[13] regarding the case of Boolean functions with 
5 and 6 input bits and an asymptotic estimate for the number of equivalence 
classes of Boolean functions under the transformation g{x) = f{Ax -I- 6) -I- L{x) 
(where L is a, linear transformation) can be found in [7]. We can say that, in the 
most general case of classical linear equivalence, two functions /, g : Fp^ Fp^ 
are linearly equivalent if there are two non-singular matrices A, B and a matrix 
C over Fp such that 

g{x) = Bf{Ax) + Cx (3) 

The fact that two functions belong to the same equivalence class is rather 
important from a cryptanalytic point of view; it is well known that the distribu- 
tions of values in the DDT and LAT as defined by (1) and (2) are invariant under 
the transformation (3). It is also true that if / is invertible, then g{x) = f~^{x) 
has the same cryptographic robustness of / [15], [2]. This has motivated the fact 
that the inverse of a function is also quoted as being equivalent to it [8]; while 
this is understandable from the point of view of cryptography^, there is not for- 
mal consistency in the theory, because clearly the operation of inversion is very 
different from the transformation in (3). 

To fill this gap, in Sect. 2 we propose a re-definition of the criterion of linear 
equivalence that permits us to treat the classical case of linear equivalence and 
the inversion operation with a unified approach. The criterion of generalized 
linear equivalence can be applied to functions over finite fields, provided that 
they are represented geometrically by set of vectors in an appropriate linear 
space S. The set of vectors representing function / is denoted with F and called 
the implicit embedding of / (in the space S'); the implicit embedding contains 
the information of the truth-table of the function. 



^ A significant example is that of power functions over Ap*i, as it happens that the 
inverse of a power monomial is again a power monomial, generally belonging to a 
different cyclotomic coset. 
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Two functions / and g are said to be generally linearly equivalent if Q can 
be obtained from T with an invertible linear transformation T that acts on the 
space S, i.e. Q = T{T). We show that there exist couples of functions that are 
generally linearly equivalent but are not correlated in the classical theory of 
equivalence; thus the proposed criterion is in fact an extension of the classical 
concept of equivalence. 

In Sect. 3 we prove that the cryptographic robustness of a function versus 
differential and linear cryptanalysis is invariant under the transformations con- 
sidered in the framework of generalized linear equivalence, completing the proof 
for the classical case. 

In Sect. 4 we apply the criterion to power functions; we give an example of an 
APN function that is not classically linearly equivalent to any power monomial, 
but is easily obtainable using the generalized equivalence criterion. This answers 
a question posed in [8]. 

Sect. 5 concludes the paper. 



2 Extension of the Linear Eqnivalence Relation 

2.1 A Geometric Representation 

Let us consider a completely specified function / : Fp'^ Fp^ , with no restric- 
tions on the values of m, n. There are different possible representations for the 
object /; we are particularly interested in the truth table of /, that lists the 
output values of / associated with the corresponding (actually, all the possible) 
input values. If we view the truth table as a matrix, there are p'" rows, m + n 
columns, and each entry belongs to the field Fp. The ordering of the rows is 
not important, in the sense that two truth tables that contain the same rows in 
different order specify the same function and thus can be considered as the same 
truth table. 

We can build a geometric representation of the function in the following way. 
Let S' be a linear space of dimension k = m + n, the elements (or vectors) of 
which are defined over the finite field Fpm+n . Such vectors can thus be conceived 
both as elements of the extension field Fpm+n and as vectors of the space S, 
each vector consisting of to -I- n components over the basic field Fp. Denote by 
-|- and • (or nothing) the addition and multiplication of elements in Fpm+n] by 
extension -|- denotes vector addition in S, and • (or nothing) denotes scalar- 
vector multiplication in S. Consider the set F of p™ vectors in this space formed 
by the rows of the truth-table of /, i.e. the concatenation of the input vectors 
with the corresponding output vectors of /. Formally, 

F={{x\f{x)),x€Fp^,f{x)&Fp^} (4) 

where with | we indicate the simple concatenation of two vectors with compo- 
nents over Fp. Each vector of the set represents one complete row of the truth 
table and thus the same information is contained in both representations; since 
the vectors are not ordered, we can see that different orderings of the rows of 
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the truth table, as we would write it down on a piece of paper, actually identify 
the same set of vectors, i.e. the same geometric entity. Two different functions 
have different information in the truth table and therefore they are represented 
with different set of vectors. We conclude that each function / can be unambigu- 
ously represented with a particular set of vectors IF, which we call its implicit 
embedding (in the linear space S). 

A natural question is when a given set of vectors actually represents a func- 
tion. The following three conditions must be satisfied: 

1. The set must have cardinality p™ for some positive m. In fact, we consider 
completely specified functions, and the number of rows in the truth table 
must be p™ if the function has m input variables (belonging to Fp) . 

2. The dimension of the vectors must be m -I- n for some positive n, i.e. the 
function must have at least one output variable. 

3. If we consider the first m components of all the vectors, we must find all 
possible configurations once and only once. This is because there cannot be 
a missing configuration (there would be a missing row in the truth table, 
but the function must be completely specified) and there cannot be multiple 
instances of the same configuration (there would be some missing configura- 
tions because the cardinality of the set is p™). 

We can see that there are sets of vectors which do not represent functions; 
thus the representation defines a relation from the set of all functions / : Fp'^ 
Fp^ to the set of all the sets of vectors in the space Fp™'^^ that is one-to-one 
but not onto. 



2.2 Linear Transformations Over S 

We have seen that all the information contained in the function specification 
(truth table) is contained also in its geometric counterpart; the shape of the set 
of vectors is thus a unique property of the represented function. If we apply a 
linear transformation of coordinates to the space that is invertible, the infor- 
mation contained in the set of vectors is not changed; instead, we change the 
way we are looking at every geometric object (curves, hyperplanes, etc...) that 
is contained in the linear space S, including the function represented as a set of 
vectors. 

Every invertible linear transformation over the whole space is governed by 
a non-singular (m -I- n) x (m -|- n) matrix T over Fp. The non-singularity of 
the matrix assures that we do not loose information while transforming the 
coordinates, and also that the transformation has always an inverse. 

Each vector of the implicit embedding of / is transformed into a new one, 
but the essential shape of the configuration is invariant (we shall study the 
cryptographic invariants of / in Sect. 3). Thus if one vector set is obtained 
from another one by a change of basis governed by matrix T, then the two 
corresponding functions are said to be generally linearly equivalent. 
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Definition 1. Two functions f,g : Fp^ — > Fp^ are called generally linearly 
equivalent? if and only if the implicit embedding G of g can he obtained from the 
implicit embedding F of f with 



g = T{F) 

where T is an invertible linear transformation over the space Fp"^^'^ correspond- 
ing to the non- singular matrix T. 



We can treat the classical notion of linear equivalence as a particular case of 
the generalized linear equivalence. We first consider the case m > n. Then: 

1. If matrix T of the change of basis is defined as 




where zl is a non-singular mxm matrix and B is a non-singular n x n matrix 
over Fp, then: 

— Matrix T is non-singular 

— If we examine the transformed set of vectors, we see that it still describes 
a function g which has the following relation with function /: 



g{x) = Bf{A ^x) 



The relation is easy to prove, once we remember that the first m components 
of the vectors in the implicit embeddings of / and g represent the input 
values, and the last n components represent the corresponding output values. 
Thus carrying out the matrix-vector multiplication at block level, we obtain 
y = Ax and g(y) = Bf{x) and substituting we have the above relation 
between / and g. Obviously, ii A = Im (the mxm identity matrix over Fp) 
and B = In (the n x n identity matrix over Fp) we obtain again / because 
the global transformation is the identity. 

2. If matrix T of the change of basis is defined as 




where ^ is a non-singular mxm matrix, B is an n x n non-singular matrix 
and C yf 0 is an n X m matrix over Fp, then 

— Matrix T is non-singular. 

— If we examine the transformed set of vectors, we see that it still describes 
a function g which has the following relation with function /: 



g{x) = Bf{A ^x) -\- CA ^x 



^ We observe that the concept of generalized affine equivalence could be defined along 
the same line, to remove the artificial restriction that if two S-boxes are equivalent 
and one maps 0 to 0, the other must also. 
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Thus we obtain all the functions that are linearly equivalent (in the classical 
sense) to /, according to (3). 

3. If matrix T of the change of basis is defined as 




where A 0 is an m x m matrix, i? is an n x n matrix, C is an n x to matrix 
and I? 7 ^ 0 is an TO X n matrix over Fp, then if matrix T is non-singular, we 
can examine the transformed set of vectors. Two possibilities arise: 

(a) It may happen that the transformed set does not describe a function 
anymore because the non-singularity of T does not always imply that 
condition 3 in Sect. 2.1 is satisfied. 

(b) The transformed set satisfies condition 3 in Sect. 2.1, and function g is 
generally equivalent to function /, although it is not obtainable within 
the classical theory. The link between g and / is non-trivial: the out- 
put vectors of g (the last n components of the transformed vectors) are 
obtained by mixing information contained in the input vectors of / by 
means of matrix C and information contained in the output vectors of / 
by means of matrix B. The difference from the previous case is that the 
same thing happens also to the input vectors of g by means of matrices 
A and I?. As a result it is not possible to express the relation between 
/ and g with a simple equation as before; nonetheless the two functions 
are generally linearly equivalent. The truth tables of the two functions 
can be expressed as: 



f :x^ f{x) 



g : Ax + Df{x) Cx + Bf{x) 

Note that the reason why the transformed vector set is still representing a 
function is simply that the function h : x ^ Ax+Df(x) is a permutation 

771 m 

over Pp . 

If TO = n holds, the above cases are still valid; however, if it happens that / 
is invertible, more cases can be considered. In particular: 

4. If matrix T of the change of basis is defined as 




where C, D are non-singular m x m matrices over Fp, then: 

— Matrix T is non-singular 

— If we examine the transformed set of vectors, we see that it still describes 
a function g, and it holds that: 

g{x) = Cf-\D~^x) 
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This happens because the blocks C, D swap the input and the output parts 
of all the vectors belonging to the implicit embedding of / in the implicit 
embedding of g. Obviously, \i C = D = we obtain the inverse of /. 
We have thus reduced the operation of inversion of a function to a linear 
transformation over the space where the implicit embedding of the function 
is defined. This is surely a convenient feature of the proposed formulation. 

5. If matrix T of the change of basis is defined as 




where B yf 0 is an m x m matrix and C, D are non-singular m x m matrices 
over Fp, then 

— Matrix T is non-singular 

— The relation between / and g is the following: 



g{x) = Cf ^{D ^x) + BD ^x 



i.e. we obtain all the functions that are linearly equivalent (in the classical 
sense) to the inverse of /. 

Last, we consider the case m < n. The following considerations can be made: 

— Cases 1,2,3 are still valid; however in the conditions for case 3 we should 
substitute A ^0 with B y^O. 

— Case 4 is not applicable. 

— Under some assumptions for matrix D and function /, case 5 can still be 
valid. However, we loose the relationship with the inverse transformation 
(which is not defined when the numbers of input and output variables are 
different); moreover this case in fact becomes a special instance of 3, thus it 
does not deserve a separate mention. 

In all the remaining cases, either it can be proved that matrix T is singular, 
or the transformed set of vectors cannot represent a function, so we have no 
interest in examining them. 

In the following, an example of a family of functions belonging to case 3 for 
m > n is given. 

Example 1. The family of functions / : ^ Fp™ with p prime and m > 1 

is given, where the input vector x and f{x) are defined as: 

X = {xi)\{x2) x & Fp^™ Xi,X 2 &Fpm 



f{x) = f{{xi)\{x 2 )) =X^^+X 2 ^ 

where we indicate with | the simple concatenation of two vectors (actually, x\ 
and X 2 represented as vectors over Fp are concatenated). When function / is 
transformed into function g using a suitable matrix T, we can simply write 
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g = T{f) as the same equation holds for the implicit embeddings of the two 
functions. The implicit embeddings of / and g can be visually represented, along 
with a block decomposition of T; we write explicitly: 



9 = T{f) 



'Im 0 


0 ' 


0 0 









( Xi 

X2 




Xi 



-1 



-1 



+ Xi+ X2 , 



It can be observed that matrix T is non-singular and that the transformed 
set of vectors still represents a function, because the input part {xi)\{xi^ + xi^^) 
is still a permutation over when X\,X 2 vary over Fpm (i.e. all the possible 

input values for g are specified in the implicit embedding). We make here the 
underlying assumption that, with an abuse of notation, 0”^ = 0. 

By Def. 1 the two functions /, g are generally linearly equivalent, although 
there is no way to express the link using the classical theory of equivalence, 
since every function that is classically linearly equivalent to / is obtained with 
a matrix T characterized by a null upper-right block. The truth-table of g is 
written in compact form as 

((a;i)|(x)"^ -I- x^^)) {x^^ + X2^ -b a;i -b X 2 ) 

Any property that is invariant under the considered transformation is com- 
mon between / and g. In the next Section we present a result on the invariance 
of cryptographic robustness. 



3 Cryptographic Robustness of Generally Equivalent 
Functions 

We start by recalling a fundamental result of the classical theory [15], [2]: 

Theorem 1. Given two functions f and g, if they are linearly equivalent i.e. if 
there exist two non-singular matrices A, B such that 

g{x) = Bf{Ax) (5) 

then the distributions of the values in DDTs and LATs of f and g are equal. 

Corollary 1. As a consequence of Theorem 1, we have that Af = Ag and 
— ^g- 

It is also known that the same parameters are conserved when we consider 
the inverse of a function (the DDTs and LATs are merely transposed), or when 
we add a linear combination of the input variables of the function directly to its 
output variables [9]. 

Since we proved that these relations are particular occurrences of the general- 
ized linear equivalence, it is therefore natural to ask whether the same parameters 
are also invariant in the general case. We answer with the following theorem. 
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Theorem 2. Given two functions f,g : Fp^ Fp^ and a non-singular (m + 
n) X (m + n) matrix T over Fp, if g = T{f) then the distributions of values in 
the linear and differential tables of f and g are equal. 

Proof. We first prove the relation regarding the DDTs of f and g. 

A cell of the DDT of f located in the i-th row and j-th column contains the 
number of the input vector couples (x,y) such that y = x-\-i and f{y) = f{x)-\-j, 
according to (1). 

Thus, if we consider the geometric representation for function f we have that 
the cell contains the number of vector couples {w, z) belonging to the implicit 
embedding of f such that w = z k where k = (i)|(j) (the concatenation of i 
and j ); note that i G Fp^ , j G Fp^ and k G 

These couples will be transformed by the change of basis into other couples 
{w',z') belonging to the implicit embedding of function g such that w' = Tw, 
z' = Tz and w' = z' k' with k' = Tk. 

Since matrix T is non-singular, there is a bijection between the values of k 
and those of k' , i.e. the cells of the DDT of g are just a (linear) rearrangement 
of the cells of the DDT of f. 

A similar reasoning can be applied to prove the relation between the LATs. 

A cell of the LAT table of f located in the i-th row and j-th column contains the 
number of the input vectors x such that • x + • f{x) = 0, where we denote 

the inner-product with • and, for sake of clearness, the transposed of a vector 
with +. 

Thus, if we consider the geometric representation for function f we have that 
the cell contains the number of vectors w belonging to the implicit embedding of 
f such that /c+ • m = 0 where k = (i)|(j); note that i G Fp^ , j G Fp^ and 
k G Fp'^^'^. 

These vectors will be transformed by the change of basis into other vectors w' 
belonging to the implicit embedding of function g such that w' = Tw. We can 
rewrite the equation as: 

k'^»Tw = 0 {T~'~ k)'^ • w = 0 {k')'^»w = 0 

Since matrix T is non-singular, there is a bijection between the values ofk and 
those ofk' = T'^k, i.e. the cells of the LAT of g are just a (linear) rearrangement 
of the cells of the LAT of f. □ 

Corollary 2. As a consequence of Theorem 2 we have that if f and g are gen- 
erally linearly equivalent, then Ag = Af and Ag = Af. 

We thus conclude that two generally linearly equivalent functions are charac- 
terized by the same cryptographic robustness; since the general case extends the 
classical relation, we can justify the common robustness of previously unrelated 
functions, such as / and g in Example 1. 

It is a rather computationally difficult problem to decide whether two given 
functions are linearly equivalent: besides exhaustive search on the space of all 
possible matrices, it is possible to classify the functions basing on the distribu- 
tion of values in the Walsh-Hadamard transform. Recently, Fuller and Millan 
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[9] have developed a classification method which exploits the concept of connec- 
tivity between two functions f,g : F 2 ™' F 2 . They applied the method to the 

case TO = 8 and to the Rijndael S-box, being able to prove that all the output 
variables of the only nonlinear step of the algorithm are linearly equivalent. Also, 
a description of optimized algorithms being able to find out whether two given 
invertible S-boxes are equivalent under a linear (or affine) transformation can be 
found in [5]. 

The result of Theorem 2 states that the whole distributions of values in the 
cryptographic tables are equal, not only the maximum values; such information 
could be used as a necessary condition for the generalized equivalence of two 
functions: if the two distributions differ, it can be immediately concluded that 
the two functions are not generally equivalent^. The check of this condition is 
not considered in [5]; we think that the check could speed up considerably the 
algorithms in most cases of negative answer. Obviously the condition is not 
sufficient and further techniques are needed to conclude that the two functions 
are generally (or classically) linearly equivalent. 

It may be useful, at the end of this Section, to give also the geometric meaning 
of the parameters that measure cryptographic robustness. 

In particular, the entries in the DDT of function / represent the number of 
vector couples belonging to the implicit embedding of /, that sum up to the 
same fixed vector, i.e. the (composed) difference vector. We can mentally view 
the process if we figure that the usual parallelogram rule is used to sum the 
vectors, as it would be done in standard Euclidean spaces; in practice, we are 
searching the vector couples that lead to the same path in the space S. This is 
evidently a measure of the redundancy of the information that characterizes the 
particular set of function vectors, i.e. the function itself. 

The entries in the LAT, instead, can be seen as the number of vectors belong- 
ing to the implicit embedding of / that are orthogonal to a given fixed vector, 
since the inner product is the scalar product in S; the fixed vector is obtained by 
concatenating the masks that are classically applied to the function input and 
output values to compute the LAT. This can also be thought as a measure of 
the redundancy of the directions of the function vectors, and eventually of the 
function itself. 

Finally, note that when the classical notion of linear equivalence is considered, 
we have linear rearrangements of the rows and the columns of the cryptographic 
tables; when generalized equivalence is applied, we have a linear rearrangement 
of the cells within the tables. There may exist couples of functions where the 
distributions of the values in the cryptographic tables are equal, but the actual 
arrangements of the cells cannot be linearly correlated. In these cases we can 
prove that the functions are not generally equivalent if we show that there are 
no possible linear rearrangements of the cells of one table that lead exactly to 
the other table. 



® Since the classical equivalence is a special case of the generalized equivalence, the 
two functions are not equivalent also in the classical theory. 
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4 Application of the Criterion to Power Functions 

The set of monomial power functions over Fpm is interesting, since significant 
examples of functions with minimum possible Af can be found in this class. 

If p = 2 the minimum possible value for Af when / : {0, 1}™ — > {0, 1}" is 
2™-"; functions reaching this limit are called Perfect Nonlinear (PN) [16] and 
exist only for m even and m > 2n. If we consider the important class of S-boxes, 
i.e. / : {0, 1}™ ^ {0, 1}"“, then the minimum possible value for Af is2; functions 
reaching this limit are called Almost Perfect Nonlinear (APN) [17]. The only 
known examples of APN functions (up to classical linear equivalence) are power 
monomials; the list of known values for the exponent d such that f{x) = x'^ 
is APN can be found in [8]. Such functions find applications in symmetric key 
cryptography. 

When p > 2 the minimum possible value for Af is 1; functions reaching 
this limit are again called Perfect Nonlinear (PN). There are examples of PN 
and APN power functions over Fpm and there is also one known example of a 
function that is not a power monomial but is PN over F^m for certain values of 
m [8]. 

Normally power monomials in even characteristic are classified into cyclo- 
tomic cosets, where a coset contains all the power monomials {x‘^,x^‘^, . . . , 
^2“ value d is called the coset leader and the power functions belonging 

to the same coset are classically linearly equivalent. Also, the inverse function 
x‘^ has the same cryptographic robustness of x‘^, although it (in general) be- 
longs to a different coset and is not linearly equivalent to x‘^. Cosets, expanded 
with the usual classical equivalence criterion of Eq. 3, constitute the equivalence 
classes of power functions. 

Using the criterion of generalized linear equivalence, different classical equiv- 
alence classes are merged into one: this is the case for instance of the classical 
equivalence classes of x‘^ and x'^ , since we have shown that in the new formalism 

the operation of inversion is nothing but a special case of linear transformation. 

Moreover, we can show the existence of some functions that are not classically 
linearly equivalent to any power monomial, but still are APN. 

Example 2. Consider the finite field F 23 ] the classification of all the possible 
exponents into cyclotomic cosets is given by: 

Co = {0} 

Cl = {1,2,4} 

Ca = {3,6,5} 

where the cosets Cj are numbered accordingly to the coset leader i. Coset Co 
contains only the constant function; coset Ci contains the power monomials that 
are linear; coset C3 contains non-linear APN power monomials. Since the inverse 
of X® is again x® and the inverse of x^ is x® this coset is its own inverse^. 



^ Note that this always happens to the coset that contains the inverse power fnnction 
x~^ which in this case is actually x®. 
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Coset C 3 can be expanded into a (classical) linear equivalence class of f{x) = 
by considering all the functions g{x) such that 



g{x) = T{f{x)) 





Obviously, all these functions are APN and x^,x^ are some members of this 
class. 

Now, consider the function h{x) such that 



h{x) = T'ifix)) 



'I + S 


r 


I 


o' 



where S is the matrix that gives the square of x (a;^ is a linear transformation in 
even characteristic, thus it can be represented by a matrix multiplication) . The 
implicit embedding of h, and thus its truth-table, is described by: 



X^ + x'^ + X 



X 



This implicit embedding still defines a function because -I- -I- x is a 

permutation polynomial over ^ 2 ™ with m odd, see Corollary 2.10 of [19]. Since 
matrix T is non-singular, h is generally linearly equivalent to / and thus is APN. 
However, h does not belong to the classical equivalence class that extends C 3 
because all the functions in this class are obtainable from /(x) only using matri- 
ces T with a null upper-right block. We conclude that h belongs to a (classical) 
equivalence class that contains APN functions but is different from that of /(x), 
which is the only one obtainable from power functions over F 23 . Both these 
equivalence classes will be merged into one, when the general equivalence classes 
are considered; thus, this is another example of class merging. 

Note that function h can actually be obtained from function / using classical 
means, i.e. by first transforming / into a classically linear equivalent function g 
and then inverting, since: 



'I + S 


r 


I 


0^^ 



I 


0 


I + S 


I 



However, this does not lead to a function that is classically equivalent to /; 
while this may be difficult to prove classically, it becomes evident when general 
linear equivalence is introduced and one considers that matrix T' cannot belong 
to the family of matrices T indicated in the example. 



5 Conclusions 

In this paper we have presented the criterion of generalized linear equivalence. 
We have shown that the criterion extends the classical notion of linear equiv- 
alence; all the known cases of transformations that lead to invariance of the 
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cryptographic robustness can be treated as special instances of the proposed re- 
lation. Also, it can be shown that there are functions that cannot be correlated 
using the classical theory but become equivalent under the proposed criterion. 
We have used general equivalence to show that there are APN functions that 
are not classically linearly equivalent to power monomials, and that these equiv- 
alence classes are merged under the extended criterion. 
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Abstract. This paper proposes a new sieving algorithm that employs 
a bucket sort as a part of a factoring algorithm such as the number 
field sieve. The sieving step requires an enormous number of memory 
updates; however, these updates usually cause cache hit misses. The 
proposed algorithm dramatically reduces the number of cache hit misses 
when the size of the sieving region is roughly less than the square of the 
cache size, and the memory updates are several times faster than the 
straightforward implementation. 



1 Introduction 

The integer factoring problem is one of the most important topics for public-key 
cryptography, because the RSA cryptosystem is the most widely used public-key 
cryptosystem, and its security is based on the difficulty of the integer factoring 
problem. Over a few hundred bits, the number field sieve [1] is currently the 
most fastest algorithm to factor an RSA modulus. 

The number field sieve consists of many steps. It is known that the sieving 
step is theoretically and experimentally the most time-consuming step. It is 
noted that a straightforward implementation of the sieving step on a PC causes 
a long delay in memory reading and writing, and the sieving program is several 
dozen times faster if all memory accesses utilize the cache memory. 

This paper focuses on memory access in the software implementation of the 
sieving step on a PC, and introduces an algorithm that reduces the number 
of cache hit misses. The experimental results confirm that the proposed sieving 
algorithm is several times faster than that in the straightforward implementation. 



2 Preliminaries 

2.1 Number Field Sieve 

This section briefly describes the number field sieve algorithm that is relevant to 
the scope of the paper. Details regarding this algorithm can be found in (e.g. [1]). 
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Let TV be a composite number and it will be factored. Find an irreducible 
polynomial f{X) G ZZ[X] and its root M such that f{M) = 0 (mod TV). The 
purpose of the sieving step is to collect many coprime pairs (a, 6) G such 
that TVfl(a,6) = \a + bM\ is B/j-smooth and NA{a,b) = |(— a/&)| is 
i?^-smooth^. Such a coprime, (a,b), is called a relation. 

We describe the line-by-line sieve (hereafter we simply referred to as line 
sieve) as Algorithm 1, and it is the most basic algorithm used to find relations. 
Hereafter, we omit the details on the algebraic side, because very similar algo- 
rithms are used for the algebraic side. Algorithm 1 assumes that 2Ha elements 
are allocated for array S. The sieving region may be divided if 2Ha is greater 
than the suitable size for the implementation platform. The size of each ele- 
ment, S[a], is typically 1 byte, and the base for logp is selected such that it does 
not to exceed the maximum representable value of S[a]. In Step 8 in the inset. 



Algorithm 1 (line sieve for rational side (basic version)). 


1 


for 6 ^ 1 to Hb 


2 


for all a {—Ha < a < Ha), initialize S[a] to log Nji(a, b) 


3 


for prime p ^ 2 to Br 


4 


Compute a > —Ha as the first sieving point depending on b and p 


5 


while a < Ha 


6 


S[a] ^ S[a] — logp 


7 


a ^ a -l-p 


8 


Completely factor Nii{a, b) for all a if S[a] < some threshold 



the threshold is determined by considering the error generated by the logarithm 
rounded to the nearest integer in Steps 2 and 6, and the omission of prime 
powers^. 

2.2 Large Prime Variation 

If Br is close to or greater than Ha, the while-loop in Step 5 is hardly activated, 
and the first sieving point computation in Step 4 may dominate the sieving time. 
For this case, we can use the large prime variation. The changes compared to 
the basic version are as follows: 

1. Set the bound for p at Step 3 to ( < Br). 

2. Relax the threshold at Step 8 in Algorithm 1. 

The faster the primality testing and factoring for small integers greater than 
Bj^ become available, the more relaxed the threshold can become. 

Based on the experience, the most time-consuming part in large prime vari- 
ation is reading and writing to memory to update S[a] in Step 6. This paper 
optimizes the memory read/write process. 



^ “a: is y-smooth” means that all prime factors of x are less than or equal to y. 

^ By regarding prime power p® as prime and logp® as logp, prime powers can be easily 
incorporated into Algorithm 1. 





94 



K. Aoki and H. Ueda 



2.3 Memory Latency of a PC 

Recent PCs have incorporated cache memory, and cache memory can usually 
be classified into several levels. A low level cache represents fast access but low 
capacity. For better understanding, we provide an example. Let us consider the 
Pentium 4 memory characteristics for logical operations performed by general 
purpose registers as shown in Table 1. 



Table 1. Pentium 4 Northwood [2, p. 1-17, 1-19, 1-20] 





Line size 


Size 


Latency 


Register 


(4B) 


32 B 


4 processor cycle 


Level 1 cache 


64 B 


8 KB 


2 processor cycles 


Level 2 cache 


64B+64B 512KB 


7 processor cycles 


Main memory 


(4 KB) ! 


~1GB 12 processor cycles -1- 6-12 bus cycles 



The memory system in a PC is constructed to provide good performance 
for continuous address access, that is, random address access is very poor. A 
line sieve algorithm updates S[a] by step p in Step 6 in Algorithm 1. When p is 
greater than the size of cache memory, the updates seem to be random access. 
A read from the main memory requires at least 12 -|- 6 x (2.53/0.533) = 40.5 
processor cycles, where the Pentium 4 frequency is 2.53 GHz and FSB is 533 MHz, 
according to Table 1. However, the user probably feels that the time required 
for main memory access requires more processor cycles. An experiment shows 
that the time for a random read from the main memory requires several hundred 
processor cycles. 

2.4 Previous Work 

Sieving can be considered as waiting for memory because other steps in the in- 
nermost loop are small and very simple, according to Steps 5 to 7 in Algorithm 1 . 
To overcome cache hit misses, [3] proposed the block sieving algorithm. There 
are two differences between the basic version of the line sieve in Algorithm 1 
and the block sieving algorithm: the addition of Algorithm 2 between Steps 2 
and 3, and the initial p in Step 3 is modified to the smallest prime greater 
than The block sieving algorithm classifies factor base primes into smallish 
primes (g (0,i?’^]) and largish primes (g and updates each small 

region whose size is by smallish primes. To achieve better performance, 
and B^ are set to approximately the size of the cache memory. Note that the 
computation of the first sieving point in Step 3 in Algorithm 2 can be omitted 
if the last sieving point computed in Step 4 is available. Focusing on the mem- 
ory hierarchy, the performance of the sieving step may be better optimized in 
order to consider more parameters in classifying smallish primes in some envi- 
ronments. 
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Algorithm 2 (Additional steps from line sieve to block sieving algo- 
rithm). 


1 


for a® « Ha to Ha step -\-Ha 


2 


for prime p ^ 2 to 


3 


Compute o > a® as the first sieving point 


4 


while a < + H^ 


5 


S[a] ^ S[a] — logp 


6 


a <— a -l-p 



3 Sieving Using Bucket Sort 

The number of cache hit misses for smallish primes greatly decreases using the 
block sieving algorithm described in Sect. 2.4; however, the sieving for largish 
primes still generate many cache hit misses. This section describes the reduction 
in the number of cache hit misses for largish primes using the bucket sorting 
algorithm [4, Sect. 5.2.5]. 

As mentioned in Sect. 2.3, memory updates between close addresses are not 
penalized, and the logp minuses which are memory update operations are com- 
mutative. Sorting (a, logp) using key a can reduce the number of cache hit misses; 
however, the sorting should be done very quickly, because the number of S[a] 
updates is roughly 2i?a(loglogi?'^ — loglogi?'®), that is, it is almost linear to Ha- 
While complete sorting is not required and recent PC models have very large 
memory capacity, we use the bucket sorting algorithm to address this issue. 

3.1 Proposed Algorithm 

The proposed algorithm replaces the largish prime sieving in Algorithm 1, that 
is, the algorithm has the same function as Algorithm 1 for sieving largish primes. 
The algorithm is based on bucket sorting. Let n be the number of buckets, and 

r be — , where ns denotes the number of elements in S. Note that ns = 2Ha 
n . 

for Algorithm 1. The algorithm comprises the continuous runs of Algorithms 3 
and 4. 
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Algorithm 4. 

1; for all buckets that are numbered i (0 < i < n) 
2: for all (a, logp) in the bucket i 

3: S[o] ^ S[o] — logp 



Algorithm 3 throws (a,logp) in the buckets, and Algorithm 4 updates S[a] 
using the elements in the buckets. 



3.2 Why Can Proposed Algorithm Hit Cache Memory? 

Figure 1 forms the basis for the following discussion. We first consider Algo- 
rithm 4. All elements in a bucket will only updates the memory in range r. 
Thus, 

r X (Size of each S[a]) < (Size of cache memory) (1) 

should hold. Next, we consider Algorithm 3. For each bucket, the addresses for 
memory writes are continuous. It is sufficient if 

n X (Size of cache line) < (Size of cache memory) (2) 



holds. Note that the cache memory can only be updated in units called cache 
lines. We assume that the size of (a,logp) is less than the size of a cache line. 
When combining (1) and (2), n exists if 



ns X (Size of each S[a]) 



(Size of S[»]) < 



(Size of cache memory)^ 
(Size of cache line) 



(3) 



holds. 

Let us consider a typical parameter using Table 1. The size of the cache 
memory is 512 KB, and the size of the cache line is 128 B. Therefore, the right 
hand side of (3) is 2^^B. If we allocate each S[a] as IB, then S can occupy up 
to 2 GB. This means that the proposed algorithm is effective for most PCs. The 
proposed algorithm increases the number of memory accesses, but dramatically 
reduces the number of cache hit misses with appropriate prefetching. 




Fig. 1. Memory usage for buckets and S 
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3.3 Related Work 

[5], which follows the inspiring work [6], independently proposed sieving hard- 
ware, which sorts (a,logp). The paper does not consider the cache memory; 
however, their algorithm is similar in that sieving is converted to sorting. 



4 Optimizations and Improvements 

This section considers optimization techniques and improvements to the pro- 
posed algorithm. 

4.1 (a, logp) Size Reduction 

The size of a stored in a bucket can be reduced, a' = a -I- Ha mod r is sufficient 
to recover a, because a = ir + a' — Ha for the ith bucket. 

Moreover, the number of bits for logp can be reduced to 1 bit, because 
(a, logp) can be generated in ascending order on p and logp in a bucket increases 
very slow. 

4.2 Number of Buckets 

For efficient computation of Step 5 in Algorithm 3 and the technique described 
in Sect. 4.1, r should be a power of 2 on most PCs. 

4.3 Hierarchical Buckets 

Considering the idea of radix sort and cache hierarchy. Algorithm 4 can be 
modified to Algorithms 3 and 4 using smaller buckets. 

4.4 Reduction in Memory for Buckets 

Consider the case that a PC does not have enough memory to allocate buckets 
to store all (a,logp)s. Whenever a bucket is full at Step 5 in Algorithm 3, call 
Algorithm 4 and empty the buckets. 

4.5 Reduction in Sieving Memory S 

First, perform sieving for largish primes using Algorithms 3 and 4. When exe- 
cuting Algorithm 4, smallish prime can be sieved between Steps 1 and 2. In the 
ith bucket, a is in [ir — Ha, (i+l)r — Ha). Thus, r elements for S[a] are sufficient 
for the zth bucket. 

Note that this idea cannot be used with the idea described in Sect. 4.4. 

4.6 Bucket Reuse for Trial Division 

The trial sieving algorithm [7] was proposed to reduce the time in Step 8 in 
Algorithm 1. The algorithm acts almost the same as the sieving algorithm dis- 
cussed above, but it only considers a small set of (a, b). When filling buckets in 
Algorithm 3, store p in addition to (a,logp), and the buckets can be used for 
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trial sieving. This can reduce the computational cost of the first sieving points 
for largish primes. However, storing p probably doubles the memory allocation 
for the buckets. It may be a good idea to avoid storing small primes that are 
classified as largish primes. 

4.7 Application to Lattice Sieve 

The idea behind the proposed algorithm can be applied to any algorithm if the 
memory update operation is commutative. There are no problems in using the 
proposed algorithm for the lattice sieve. 

4.8 Tiny Primes 

[8, p.334] suggests that S[a] is initialized by the logarithm of tiny primes. It can 
be efficiently achieved by the following idea. First, compute the sieving pattern 
for tiny primes, which are less than , and their small powers. Once the pattern 
is computed, the initialization of S[a] can be done by duplicating the pattern by 
adjusting the correct starting position. 



5 Implementation on Pentium 4 

We implemented Algorithms 3 and 4 in the lattice sieve using all the techniques 
in Sect. 4 except for Sect. 4.4 and last haf of Sect. 4.1 on a Pentium 4 (North- 
wood) with 1GB main memory and 533 MHz FSB. The specifications are the 
same as those described in Table 1. The prime bounds are described in Table 2. 
These names are from [9] . We tried to obtain the best Bs using the factor base 
parameter for cl58 as described in [10]. 

Table 2. Prime Bounds and Algorithms 



Range Name Algorithm 

p < p: Tiny prime Sieving pattern 

< p < p: Smallish prime Block sieving 

< p < B^ p: Largish prime Bucket sorting 

B^ < p < B p: Large prime Primality testing and factoring 



5.1 Parameter Selection 

We assign IB for logp and 4B for each (o,logp), because the smallest mem- 
ory read and write unit is 1 B and the basic memory data unit is 4 B for the 
Pentium 4. 

On the factorization of cl58, the sieving rectangle was 2Hc x = 2^'^ x 2^^. 
To translate the rectangle to a line sieve case, we can interpret 2Ha = 2^'^ x 2^^ = 
2^^. The large primes in each relation and the values of B^ and B^ are unclear. 
Therefore, we select two large primes for both sides in each relation, and set 
= 30 X 10®, B^ = 0.9 X Q, and B^ = B^ = 512 x 2^®, where Q denotes the 
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special-Q according to our factoring code, the primality testing for large prime 
products, factor base bound for the line sieve, and the size of level 2 cache. We 
tried the depths of 1, 2, and 3 for the hierarchical buckets with all powers of 2 
for r, and found that the best hierarchy depth is 2. Surprisingly, the best rs are 
not the combination of the size of the level 2 cache and level 1 cache, but 2 MB 
and 256 KB. 

Next, we tried to find the best and Based on dozens of experments, 
we find that B^ = 2Hc and B^ = 5Hc achieve almost the best performance. 



Remark 1. 
Remark 2. 

Remark 3. 
Remark 4. 



We sieve prime powers less than V and select B]^ = B\ = 5. 

We classify smallish primes into small sets taking into account the 
size of the caches and sieving range. 

After executing Algorithm 3, the numbers of elements in each bucket 
are roughly the same. We found that a 2% difference is the largest 
in our experiments. 

We used base-2 Solovay-Strassen primality testing [11, pp. 90-91], and 
p [11, pp. 177-183] and SQUFOF [11, pp. 186-193] as the factoring 
algorithm for large primes. 



5.2 Factoring Example 

We factor 164-digit cofactor cl64 in 2^®^®-|-l using GNFS, and 248-digit cofactor 
c248 in 2^®^^ -I- 1 using SNFS employing the above implementation. Refer to the 
Appendix for detailed information. The parameters used in the factoring of cl64 
and c248 are summarized in Table 3. For comparison purposes. Table 3 also 
includes the parameters used in the factoring of RSA-512 [12]. 



Table 3. Factoring Parameters for Lattice Sieve 





H, Hd 


T)L T)L d 


max sp-Q #sp-Q #LP 


rel/MY 


cl64 


16K 8K 


40 m 0.95Q 4g 


194 m 


8.2 m 2-1-2 


29 k 


c248 


16K 8K 0.95Q 100m 4g 


200 m 


10.2 m 2-1-2 


22 k 


RSA-512 


4K 5k 


16M 16Mlg 


15.7m 


308 m 2-1-2 


14 k 



k: 10®, K: 2^°, m: 10®, M: 2^° g: 10®, G: 2®° 
rel/MY: Generated relations per MIPS year 



The proposed siever yields more relations per MIPS year despite that cl64 is 
larger than RSA-512. However, a straightforward comparison should be avoided 
because the characteristics of computers used for the above factoring are quite 
different, and MIPS is not optimal for comparing the sieving complexity. 

Remark 1. The lattice siever used for RSA-512 is intended to factor RSA-130 [12, 
Sect. 3.2]. 

Remark 2. We timed MIPS using the output of a “BYTE benchmark.” We 
obtained 3969679.6 Ips for Dhrystone 2 without register variables. 
Thus, MIPS is computed by 3969679.6/1767 « 2246.6. This number 
is used for cl64 and c248 in column rel/MY. 
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Remark 3. We noticed that numbers larger than RSA-512 such as RSA-576 
are already factored using GNFS [13] and that their siever seems 
faster than one that was used for RSA-512. However, not enough 
information is provided to estimate the timings. We used the records 
that were published and the largest values [12]. 



6 Conclusion 

We proposed a sieving algorithm that cleverly uses the cache memory. The al- 
gorithm accelerates the memory update processes in the sieving step to several 
times faster than that of the simple logp subtraction. Moreover, we implemented 
the proposed algorithm in the lattice sieve on a Pentium 4, and successfully fac- 
tored a 164-digit number using GNFS, and a 248-digit number using SNFS. 
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Appendix: Factoring Parameters and Statistics for cl64 
and c248 

cl64 and c248 are selected from Cunningham table [14]. 

cl64 is the 164-digit cofactor of 2^®^® + 1. 2^®^® + 1 can be trivially factored 
to 2, 1826L X 2, 1826M, where 2, 1826L = 2®^® — 2®®^ -|- 1, and its several factors 
are already known: 

2, 1826L = 997 x 2113 x 10957 x 46202197673 x 209957719973 

X 457905185813813 x 9118425814963735020084050069 
X 758984045239765414366290480154514089 x cl64 

cl64 is factored into two primes, p68 x p97, where 
p68 = 343346448861824465 

46273008924242084634327089789559771215864092254849. 

c248 is the 248-digit cofactor of 2®®®® -|- 1. 2®®®® -|- 1 can be trivially factored 
to 2, 1642L X 2, 1642M, where 2, 1642M = c248 = 2®®® -^2®“ -hi. c248 is factored 
into two primes, p88 x pl60, where 

p88 = 75052937460116417664924678548932616036 

64038102314712839047907776243712148179748450190533. 
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cl64poly = 

8293702863045600 a;® 
+ 5627796025215486707 
+ 557524556427309931902111 
+ 176917216602508818430161036 x^ 
- 13601173202899548432935219131949 a; 
- 12171622290476241497444980012311021 
M = 411268775932725752596939184846 



c248poly = 

+ 2 a;® 
+ 2 
M = 2^®'^ 



Fig. 2. Polynomials used to factor cl64 and c248 



We used the polynomials described in Fig. 2 to factor cl64 and c248. 

Statistics are summarized in Table 4. CPU years for sieving are converted 
for the Pentium 4 2.53 GHz. Line sieve is used for cl64 factoring, and it yields 
49 m relations. Free relations are not used for both factorings. Linear algebra is 
computed by a 16 PC cluster with GbE using block Lanczos with 128-bit block. 
The Pentium 4 is used for both factoring, but its frequency is about 2.53 GHz 
for cl64 and 3.2 GHz for c248. The programs used for the factoring are basically 
the same except that minor improvements are included for c248. More detailed 
information can be found at [15, 16]. 



Table 4. Statistics 





Sieve 






Linear algebra 






CPU years 


Yields 


Matrix size 


Row weight Calendar days 


cl64 


7 


458 m 


7.5 m 


167 


12 


c248 


8.2 


558 m 


7.4 m 


208 


9.5 
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Abstract. Infinite groups have been used for cryptography since about 
twenty years ago. However, it has not been so fruitful as using finite 
groups. An important reason seems the lack of research on building a 
solid mathematical foundation for the use of inhnite groups in cryptog- 
raphy. As a hrst step for this line of research, this paper pays attention 
to a property, the so-called right-invariance, which makes finite groups 
so convenient in cryptography, and gives a mathematical framework for 
correct, appropriate use of it in infinite groups. 



1 Introduction 

In modern cryptography, many schemes are designed based on groups. The most 
popular problems used for cryptography may be the integer factorization and 
discrete logarithm problems in finite groups. From these problems, many schemes 
have been developed. However, on quantum computer they turned out to be 
efficiently solved by Shor’s algorithms [19]. 

Not to put all eggs in one basket as well as to enrich cryptography, peo- 
ple have attempted to use infinite groups for cryptography. Compared to finite 
groups, in infinite groups there are only a few types of schemes (e.g. key agree- 
ment protocol or public key encryption) [24, 9, 21-23, 13, 2] and a few ways 
of analyses of attacks (e.g. deterministic or empirical) [3,10,17,12,11,16,7]. A 
natural question is how we can proceed one more step. An impediment to this 
seems to be connected with “probability” . Indeed, many cryptographic schemes 
have checkpoints concerning probability for their basic security, and many cases 
of cryptanalysis rely on probabilistic analysis. Furthermore, we do not see that 
we can build a provably secure cryptosystem without probability. However, there 
is nothing discussed seriously for it in the literature on infinite-group-based cryp- 
tography. 

Our Results. When cryptosystems are designed or analyzed using infinite 
groups, we sometimes feel attracted to use nice properties or tools which are 
commonly used in finite groups. However, we do not since either it looks wrong 
or we are not sure if it is right or wrong. A possible approach to resolve this 
problem is to extract a nice property of finite groups, to generalize it in arbitrary 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 103-118, 2004. 
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groups, and then to construct a rigorous theory by which we can decide when 
we can or cannot use this property in infinite groups. 

This paper follows this way focusing on a particular property, the so-called 
right-invariance', we define a probability measure (cf. probability distribution in 
probability theory) P on a group G as right-invariant if P{E) = P{Ex) for all 
E C G on which P is defined and for all x G G. We show that right-invariance 
property depends on a particular subgroup and the index of the subgroup deter- 
mines when right-invariance can or cannot be used in infinite groups. 

For the situations where this property is allowable, one may be curious about 
how it can be handled in practice. It is easy to find a probability measure which is 
right-invariant only in a particular situation. However, what is more meaningful 
is to find a probability measure which is right-invariant in all situations where 
such property is allowable. Namely, a right-invariant probability measure that 
can be used universally on a given group. As to this, we prove that most infinite 
groups dealt with in cryptography do not have such a probability measure. So we 
discuss weaker, yet practical alternatives with concrete examples. Using these, 
we illustrate how our theory is applied to infinite-group-based cryptography via 
two opposite types of situations. 

Organization. Sec. 2 gives basic notations and brief definitions for reading this 
paper. Sec. 3 discusses why right-invariance is attractive, and formalizes the no- 
tion. Sec. 4 explores right-invariance property through building a mathematical 
framework. Sec. 5 discusses the notion of universally right-invariant probabil- 
ity measure and its alternatives. Sec. 6 shows how the results developed in the 
previous sections can be applied to practice. This paper concludes with Sec. 7. 



2 Preliminaries 

IM, Z, and IR denote the sets of all positive integers, all integers, and all real 
numbers, respectively. For a < 6, (a, 6) = {x G IR | a < a: < 5} and [a, b] = 
{x G IR I a < X < 6}. For n G IN, Z„ = {0, 1, . . . , n — 1} and Z* = {a G Z„ | 
gcd(a, n) = I}. For sets S and T, S\T = {x G S' | x ^ T}. |S| and 2^ denote 
the cardinal number of S and the collection of all subsets of S, respectively. 
S~^ = {x~^ I X G S}. A partition of S means a family {Sijig/ of non-empty, 
mutually disjoint subsets of S such that S = Ujg/Si. 0 denotes the empty set. 

Definition 1. (a) Let A4 C 2^ for a non-empty set X. A4 is called a a-algebra 
in X if (i) 0 G M, (ii) E G M implies X\E G M, and (iii) Ei,E 2 , ... G Ad 
implies U°l.^Ei G M. 

(b) If Ad is a (j-algebra in a non-empty set X, then {X, Ad) is called a measurable 
space and the members of Ad are called the measurable sets in X. 

If S is any collection of subsets of X, there exists a smallest cr-algebra Ad in 
X such that S' C Ad. This Ad is called the a-algebra generated by S. 
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Definition 2. (a) For a measurable space (X, At), a set function /i : At ^ [0, 1] 
is called a probability measure on At if it satisfies that (i) /i(A) = 1 and (ii) 
if Ei,E 2 , ... G At are mutually disjoint, piUfliEi) = P-{Ei). 

(b) For a measurable space (A, At), if /x is a probability measure on At, then 
(A, AI,/i) is called a probability space. In particular, it is called atomic if 
M = 2^ . Measurable sets of a probability space are called events. 

Let G be a group and El a subgroup of G. For x G G, let Zh{x) = {y G H \ 
yx = xy}, which is a subgroup of H. Hx = {hx \ h G H} is called a right coset 
of El in G and xH = {xh \ h G H} a left coset of H in G. The index of H in G, 
denoted by \G ■. H], is the cardinal number of the set of distinct right (or left) 
cosets of iL in G. For a normal subgroup H of G, G/H denotes {Hx \ x G G} 
and is called the factor group of G over H. Iq denotes the identity of G. 

Definition 3. (a) For a, set X , w = wi ■■■ Wi is called a reduced word on A if 
w is the empty word or w satisfies that (i) £ G IM; (ii) w* G A U X~^ for 
all 1 < z < £; (iii) Wi+i yf w~^ for all 1 < z < £. |zc| = 0 (if zc is the empty 
word) or £ (otherwise) denotes the word length of w. 

(b) E{X) is called the free group generated by X. It is the set of all reduced 
words on A with the binary operation: for any w\,W 2 G F{X), w\ ■ W 2 is 
the reduced form of the word obtained by the juxtaposition W\W 2 of the two 
words. The symbol is omitted if there is no confusion. 

3 Role of Right-Invariance in Cryptography 

This section shows why this paper selects right-invariance as a useful property. 

Role in Random Self-Reducibility. Informally, a problem is called random 
self-reducible if solving it on any instance is efficiently reduced to solving it on 
a random instance. For a random self-reducible problem, if breaking a crypto- 
graphic scheme implies solving the problem on average, it means solving it in 
the worst case. Thus, since Blum and Micali [4] introduced this notion, it has 
played an invaluable role in showing provable security of many schemes. We refer 
to [1,8] for detailed references on it and the cryptographic significance of this 
feature. We state it roughly in terms of the discrete logarithm problem with 
proper parameters; a prime p and a generator g of Z*. zz is the length of p when 
it is represented in a bit-string. 

Let a, 6 G IN and let A be a probabilistic polynomial time algorithm such 
that ^ 

Pr[A{p, g, g^ mod p)=x]> 

X n 

where x is taken uniformly at random from Zp_i. Then, there exists a 
probabilistic polynomial time algorithm T> such that for all y G Zp_i, 

1 



Y’v[V{p,g,gy mod p) = y]>l 
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V is built based on the following idea: for any fixed y G Zp_i, V chooses x G 
Zp_i uniformly at random, gets w by running A on an input {p, g, mod p), 
outputs w—x mod p — 1 if g*" = g^g^ mod p, otherwise repeats this process some 
polynomial times. A basic property used in computing the success probability 
of V is that for any y G Zp_i 

Pr[A(p, 5 , g^~^^ mod p) = y + x mod p — 1] = Pr[A(p, 5 , g^ mod p) = x], (1) 

X X 

where x is taken uniformly at random from Zp_i. 

Equation (1) can be generalized as follows: given a group G, for all r G G 

Pr(/(A) = 0) = Pr(/(Ar) = 0) or (2) 

Pr(/(A)=0)=Pr(/(rA) = 0), (3) 

where A is a random variable over G and f : G ^ {0, 1} is a predicate. Without 
loss of generality (WLOG), in this paper we focus on (2). 

If G is a finite group and X has the uniform distribution, (2) is true. In this 
case, it is being used as an underlying assumption in probabilistically analyzing 
many kinds of cryptographic schemes. However, it is not true in general if G 
is an infinite group or if one cannot uniformly generate elements from even a 
finite group. We know that no probability distribution can ever be uniform on 
any infinite group, however the concept of uniformity makes infinite groups more 
flexibly handled in cryptography. A natural question is what distribution on an 
infinite group is an analogue of the uniform distribution on a finite group. 

For an arbitrary group G, let’s recall the meaning of a random variable. The 
fact that A is a random variable over G with a probability distribution P means 
that P is the probability measure on the atomic measurable space (G, 2®) and 
Pr[A G E] = P{E) for any if C G. In order for (2) to hold when G is an infinite 
group, we see it from a measure-theoretic point of view. Namely, we consider not 
only 2 '^ but also a smaller cr-algebra Q for P. By restricting P originally defined 
on 2“^ to Q, (G, 2'^, P) induces another probability space (G, Q, P). 

Definition 4. Let (G,Q,P) be a probability space. E G Q is called a right- 
invariant event (resp. left-invariant event) if, for all x G G, Ex G Q (resp. 
xE G Q) and P(E) = P{Ex) (resp. P{E) = P{xE)). (G,Q,P) (or shortly P) is 
called right-invariant (resp. left-invariant) if all events are right-invariant (resp. 
left-invariant). 

For a situation in which one is interested (e.g. points where one wants to com- 
pute probabilities or to compare them), if a cr-algebra covering all the events in 
question (i.e. containing all the events in question as its measurable sets) can be 
constructed and there exists a right-invariant probability measure thereon, then 
we say that right-invariance is allowable ( or can he used, etc.) in the situation. 

4 Right-Invariant Probability Space 

In order to discuss right-invariance from a measure-theoretic point of view, we 
first analyze the structure of an arbitrary cr-algebra in infinite groups, and then 
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a special type of cr-algebra. From this we formulate a way of deciding whether 
or not right-invariance property is allowable in a given situation. 

Throughout this paper, we deal with only finitely generated groups since 
groups with infinitely many generators are not practical. Note that any finitely 
generated infinite group is a countable set. 

cr- Algebra in Finitely Generated Infinite Groups. Let G be a finitely 
generated infinite group and ^ be a cr-algebra in G. For x € G, define 

Mq(x) = {E eg \ x e E} and Mg{x) = nEeMg(x)E. 

In particular, denote Mg{lQ) by Mg. The following proposition shows that 
Mg{x) is the smallest measurable set containing x. 

Proposition 1. For a finitely generated infinite group G, let Q be any a-algebra 
in it. Then, Mg{x) € G for all x e G. Furthermore, any measurable set is 
partitioned into Mgfx) ’s. 

Proof. Let x € G. Since G G Mg{x) and x G Mg{x), Mg{x) yf 0. We show that 
Mgfx) can be expressed as an intersection of a countable number of measurable 
sets. For y e G, define a set Ay as follows. 

^ JG AyeMg{x), 

^ if such that y ^ E e Mgfx) A y ^ Mgfx). 

Since G is a countable set, it suffices to show that Mg{x) = (ly^cAy. (i) 
Mg{x) C Hy^cAy: If w ^ Ciy^cAy, thoro exists y & G such that w ^ Ay. Since 
Ay G Mg{x), w ^ Mg{x). (ii) Mg{x) D HygcAy: If w ^ Mg{x), w ^ Thus, 
w ^ Dy^cAy. Therefore, Mg{x) G Q. 

Let E e g. Since, for any x G E, Mgfx) C E, E = UxeEMg{x). Thus it 
suffices to show that any distinct Mg{x) and Mgfy) are disjoint. Assume Mg{x)D 
Mg{y) yf 0. If X ^ Mgfy), then Mg{x)\Mg{y) G Mg(x) since Mg{x)\Mg{y) G G 
andx G Mg{x)\Mg{y). Since Mg{x) is the intersection of all members ofMg{x), 
Mg{x) C Mg{x)\Mgfy). In particular, Mg{x)C\Mg{y) = 0 which contradicts to 
the assumption. Thus x G Mg{y), so Mg{x) C Mgfy). By the same argument, 
Mgfy) C Mg{x). Therefore, Mg{x) = Mgfy). □ 

Right-Glosed cr-Algebra in Finitely Generated Infinite Groups 

Definition 5. A measurable space {G,G) (or a cr-algebra G in G) is called right- 
closed (resp. left-closed) if, for any E G G and any x G G, Ex G G (resp. xE G G). 

A cr-algebra generated by a subgroup and all its right cosets is right-closed. 
The following shows that right-closed cr-algebras have only this form. 

Theorem 1. For a finitely generated infinite group G, the following conditions 
on a measurable space (G, G) are equivalent. 

(i) G is right-closed. 

(ii) Mg{x) = Mgx for all x G G. 

(Hi) Mg is a subgroup of G, and G is generated by Mg and all its right cosets. 
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Proof. (i)=^(ii): Suppose that (i) holds. Let x G G. Since Mg{x) = r\AeMg(x)A 
and Mgx = {r\AeMg{iG)^)^ = <~^AeMg{iG)i^^) = <~^BeMg{iG)xB, it suffices to 
show that A4g{x) = Mg{la)x. 

Let Ax, where A € Mg{la), be an arbitrary element of Aig(la)x. Since 
1g & A, X = Iqx e Ax and so Ax G Aig(x) by (i). Thus A4g(lG)x C A4g(x). 
Conversely, if ^ G A4g{x), then 1 g = xx~^ G Ax~^ G Mg{la) by (i). Thus, 
Mg(x) C Mg{lG)x. 

(ii) =^(iii): Suppose that (ii) holds. Let a, 6 G Mg. Since b G Mg, Mg = Mg{b) 
by Proposition 1. Then, a G Mg{b) = Mgb by (ii), and so ab~^ G Mg. Therefore, 
Mg is a subgroup of G. 

For any E G Q, E = Ux^EMg{x) by Proposition 1. Mg{x) = Mgx G 5 by 
(ii), and so E = Ux^sMgx. Thus, Q is generated by all right cosets of Mg. 

(iii) =^(i): It is trivial. □ 

Analogous result holds for left-closed cr-algebras. By combining these, we get 
the following. 

Corollary 1. For a finitely generated infinite group G, the following conditions 
on a measurable space {G, Q) are equivalent. 

(i) Q is both left- and right-closed. 

(ii) xMg = Mg{x) = Mgx for all x € G. 

(Hi) Mg is a normal subgroup of G and Q is generated by Mg and all its cosets. 

Right-Invariance Property of Finitely Generated Infinite Groups. Right- 
invariance property is what belongs to a probability measure defined on a right- 
closed cr-algebra. When a probability space is right-invariant, any measurable set 
is, of course, right-invariant. Conversely, Proposition 1 and Theorem 1 imply that 
right-invariance of Mg is extended to the whole space. 

Theorem 2. For a finitely generated infinite group G, let Q be a right-closed 
a-algebra in G. P{Mg) = P{Mgx) for all x G G if and only if P{E) = P{Ex) 
for all E G G and all x G G. 

From Theorems 1 and 2, we have the following. 

Corollary 2. Let G be a finitely generated infinite group. If {G,G,P) is a right- 
invariant probability space, then [G : Mg] is finite and P{Mgx) = [G : Mg]~^ for 
all X G G. Therefore, if [G : Mg] is infinite, {G,G,P) cannot be right-invariant 
for any probability measure P. 



5 Universally Right-Invariant Probability Measure and 
Alternatives 

Now we can decide whether or not right-invariance is allowable in a given situa- 
tion. Suppose that it is allowable. Then, what are the concrete examples of the 
probability measure which is both useful and practical for such property? 
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5.1 Universally Right-Invariant Probability Measure 

Given a right-closed measurable space (G,Q), if Mg is of finite-index, it is easy 
to get a probability measure that is right-invariant only on (G,Q). However, 
what is more meaningful is the one that is right-invariant on any right-closed 
(T-algebra Q with finite-index Mg. By Corollary 2, it can be defined as follows. 

Definition 6. A probability measure P defined on an atomic measurable space 
(G, 2*^) is called a universally right-invariant probability measure on G if P{H) = 
P{Hx) for any finite-index subgroup PI oi G and any x G G. 

Most infinite groups that have emerged in cryptography are finitely gener- 
ated residually-finite groups (e.g. free groups, groups of automorphisms of free 
groups, braid groups, etc.). A group is residually-finite if the intersection of all 
finite-index normal subgroups consists of only the identity. Here, we consider 
a larger class of groups, finitely generated groups with infinitely many finite- 
index subgroups. Finitely-generated residually-finite infinite groups belong to 
this class. 

Theorem 3. Let G be a finitely generated group with infinitely many finite-index 
subgroups. Then the intersection of all finite-index subgroups of G is a subgroup 
of G with infinite-index. Furthermore, G has no universally right-invariant prob- 
ability measure. 

Proof. For the proof, we use the following fact. 

Fact 1. Let G be a finitely generated infinite group. Then, for any m G IN, G 
has only finitely many subgroups of index m. 

Let PL be the collection of all finite-index subgroups of G and iLg = Fr^hH. 
Clearly iLg is a subgroup of G. Assume that [G : iLg] = k is finite. Then any 
H G PL has index k or less. By Fact 1, is a finite set which contradicts to the 
hypothesis. Therefore, [G : iJg] is infinite. 

Assume that P is a universally right-invariant probability measure on G. 
Then for any x G G and any P[ G PL, 

P{Hqx) < P{Hx) = P{H) = [G : H]~^ 

by Corollary 2. Note that for any integer m there exists a finite-index subgroup 
p[ such that [G : H] > m by Fact 1 and by the hypothesis. Thus P{F[qx) = 0. 
Since iJg is an infinite-index subgroup of G, there exist Xi,X 2 ,--- G G such 

that G is partitioned into F[oXi,HqX 2 , So P{G) = P{HoXi) = 0 which 

contradicts to P{G) = 1. Therefore, P cannot be universally right-invariant. □ 

Corollary 3. Any finitely-generated residually-finite infinite group has no uni- 
versally right-invariant probability measure. 

5.2 Alternatives 

From Theorem 3, a question arises: what are weaker, yet practical alternatives 
to the universally right-invariant probability measure? We approach this question 
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via random walk on a free group F = F{X), where X = {xi, . . . ,Xm}- It is 
because any finitely generated infinite group is a homomorphic image of a finitely 
generated free group, and random walk yields a natural probability measure on 
F in the following sense: it generates all words of F with positive probability, 
and the longer the word is, the lower its occurrence probability is. 

On the other hand. Theorems 1 and 2 reduce finding such an alternative 
measure to finding an atomic probability measure in an infinite group which is 
close to the uniform distribution over the family of all right-cosets of any finite- 
index subgroup. The latter has been studied independently in group theory for a 
long time. So we attempt to search for alternatives in the results from this area. 

For s G (0,1), let Wg be a no-return random walk on the Cayley graph 
C{F,X) of F with respect to the generating set X. See Appendix for Cayley 
graph. Wg starts at and either does nothing with probability s, or moves 
to one of the 2m adjacent vertices with equal probabilities If Wg is at a 
vertex r; yf 1^, it either stops at v with probability s, or moves with probability 
to one of the 2m — 1 adjacent vertices lying away from Ip producing a new 
freely reduced word vxf^. So Erdicj = k) = s(l — s)* and the resulting atomic 
probability measure on F is 



Hg{w) 



s if w = 1 F , 

otherwise. 



Thus, fig{w) is the probability that the random walk Wg stops at w. From 
the results of Woess [25] and Borovik, Myasnikov, and Remeslennikov [5], for 
any finite-index subgroup H of F and any x G F 



lim ^s{Hx) = [F : F[] 

s —>0 



On the other hand, for the case that we are working with only sufficiently 
long words, let’s consider a variant of /is. For k G IM, define 



_ jo ifw e Bk, 

IJ-kiw) - < otherwise 

( ti,{F\Bk) ornerwise, 

where Bj, = {w G F \ \w\ < k} is a ball of radius k. Then fik is a probability 
measure on (F,2^). From the results of Pak [18] and Borovik, Myasnikov, and 
Shpilrain [6] , for any finite-index normal subgroup F[ oi F 



E 

xGF/H 



fik{x) - [F : H]~ 






(4) 



Discussion of Property of fig and /2fc. Let (F,F) be a right-closed measur- 
able space with [F : Mp] < oo. Suppose that Pp is the right-invariant probability 
measure on (F,F). Then, by Proposition 1 and Theorem 1, fXg has the following 
property. For any E G F 
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\iis{E)-P^{E)\ = 






i=l 

t 



- [E : My^] ^1^0 ass^O, 



where My^Xi’s are distinct right-cosets of Mjr in F such that E = yj\^-yMy^Xi. 

On the other hand, by the normality of El in (4), /ifc has a slightly different 
property, so that it can be used in two cases. In the first case, let {F,F) be 
a both left- and right-closed measurable space with [F : Mjr] < oo. Then, by 
Corollary 1, My: is a normal subgroup of F. Suppose that Pyr is the right- 
invariant probability measure on (F,F). Then, for any E G F 

\ME)-PAE)\ < I \fik{x)-[F:Mr]-^\ = o(e->^) (5) 

xeF/Mjr 



for k oo. The above inequality comes from the following fact. 

Fact 2. Let 1? be a finite set, and let Pi and P 2 be probability measures on 
(12,2^). Then, 

max|Pi(L;) - P2{E)\ = -^2(w)|. 



In the second case, let {F, F) be a right-closed measurable space such that 
Myr contains a finite-index normal subgroup N oi F. Then, there exist distinct 
cosets, Nxi, . . . , Nxt, of iV in F such that Myr = Let Pyr be the 

right-invariant probability measure on (F, F). Then, from Fact 2, for any E G F 

\fi^{E) - Pr{E)\ < ^ \fik{Mrx) - [E : Mr]-^\ 

'^\ME^Xix)-[F : N]-^\ = o(e"'=) 

Mj^xGTZ i—1 

for k 00 , where TZ is the set of all right-cosets of My: in F. 



Discussion of Alternatives. Given a group G, a good alternative to the uni- 
versally right-invariant probability measure may be a probability measure P on 
(G, 2^) such that for any right-invariant probability space (G, Q, Pg) and for any 
E G Q, |F(F) — Pg{E)\ is very small. Here, we should be careful with the word, 
“small”. Small in what? The factors which determine the value of |F(F)— Fg(F)| 
come from the characteristics of G, G, and P. Note that the group G is given, 
the cr-algebra G is arbitrarily selected to some extent, and we are discussing the 
measure P. So focusing on F, it seems more reasonable to view P not as a single 
probability measure but as a family of probability measures indexed by factors 
representing its characteristics. For example, /x = {/Xs}sg(o,i) and /x = {p,k}keTN- 
From this point of view, let’s define our alternative in general terms. 
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Let P = {Pa}aGA be a family of probability measures on (G, 2^) for an 
index set A. And let some Oq be given. For any right-invariant probability 
space (G, Q, Pg) and for any E G Q, P has the following property. 

lim \P^{E)-Pg{E)\ = 0 

a — > q;o 

/i serves as a good example of this alternative. On the other hand, p, can serve 
as another example if (G, Q, Pg) is a both left- and right-invariant probability 
space, or if (G, Q, Pg) is a right-invariant probability space and Mg contains a 
finite-index normal subgroup of G. In these cases, \Pa{E) — Pg{E)\ decreases 
exponentially. 



6 Applications 

This section shows two basic examples of how to apply our theory to real situa- 
tions via recent works. These works are based on braid groups. For a survey of 
braid-group-based cryptography, see [14]. 

For n > 2, the n-braid group Bn can be presented by (n — l)-generators 
(Ti, . . . , cr„_i and two kinds of relations: aiaj = UjUi for \i — j\ > 1 and UiUjCfi = 
GjUiUj for |z — j| = 1. For the symmetric group 5'„ on n-letters, there is a natural 
projection tt : ^ S'„ sending at to the transposition (f, i -I- 1). 7r(x) is written 

interchangeably with tt^- Define = ker(7r) and call its elements pure braids. 

6.1 The Case That Right-Invariance Is Not Allowable 

Sibert, Dehornoy, and Girault [20] proposed entity authentication schemes using 
braid groups: Schemes I, II, IF, III. As a two-pass scheme. Scheme I is perfectly 
honest-verifier zero-knowledge. As three-pass protocols, the other schemes were 
shown to be zero-knowledge under the assumption that the probability space is 
right-invariant (to polynomial-time distinguishers) . Their assumption was made 
from some experiment over a certain finite subset of S„. 

This section discusses the security of Scheme II on the whole group by 
disproving the assumption for zero-knowledge. Analogous arguments apply to 
Schemes IF, III. Let’s see Scheme II. Prover’s secrete key is z G i?„, and public 
key is {b,b') G where b' = zbz~^ . Its three-pass process is given in Fig. 1. 

Assumption for Perfect Zero- Knowledge. For perfect zero-knowledge of 
Scheme II, it is assumed that the distributions of r and rz~^ are identical, where 
1" Gi? Bn- We show that they cannot be identical by defining a distinguisher A 
as follows. 

A : “On an input x G Bn, output 1 if a; = Ib„, and 0 otherwise.” (6) 

Since verifying that any two braids are identical can be done very efficiently, 
A is also efficient. Then the situation comparing the distributions of r and rz~^ 
by using the algorithm A yields the atomic cr-algebra 2®" as the right-closed 
(j-algebra in i?„. So, right-invariance is not allowable in this situation. 
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Prover 




Verifier 


r &R B„ 

X = rbr~^ 


X 




e 


e Gh {0, 1} 

^ ^ r yby~^ if e = 0, 

( yb'y~^ otherwise. 


r r if e = 0, 

^ ( rz~^ otherwise. 


y 





Fig. 1. Scheme II 



Assumption for Computational Zero-Knowledge. For computational zero- 
knowledge of Scheme II, it is assumed that the distributions of r and rz~^ are 
computationally indistinguishable, where r G/j Bn- This means that, for any 
polynomial-time distinguisher A, |Pr[A(A) = 1] —Pi[A{Xz~^) = 1]| is negligi- 
ble. Here A is a random variable over Bn- 

By using the algorithm (6), we show that it is not negligible in the word 
length of the secrete key z with respect to the probability measure fXs which is 
defined on a free group F generated by {xi, . . . ,Xn-i}- Considering a natural 
projection (/) : F — > B„ defined by a;* Ui, let K = and let the random 

variable X have the probability distribution induced by /ig. Then 



Pr[A(A) = 1] = Aig(K) > = s. 

Let £ = min„g0-i(j,) |w|, and let wq € (f>~^(z) satisfy jicol = £■ Then 

Pr[A(Az"^) = 1] = Ms(Xwo) = '^fis{Kwo n Ck) = “ g)fc C ^ 

k^O k^O I 

where Ck = {w G F \ \w\ = k}. Note that Kwq H = 0 for 0 < A: < ^. Thus, 
Pr[A(Az-i) = 1] = s(l-s)^ < 5(l-s)' £(!-«)'= = (1-s)^. 

k^O ' k^O 

Therefore, Pr[A(A) = 1] — Pr[A{Xz~^) = 1] > s — (1 — s)^. 



6.2 The Case That Right-Invariance Is Allowable 

For notational convenience, this section assumes that n is even. Define B^ (resp. 
BA) be a subgroup of generated by tJi, . . . , (resp. ct„/ 2 +i, . . . , cr„_i). 

Likewise, define Si (resp. SA be a subgroup of the symmetric group Sn gener- 
ated by (1, 2), . . . , (| — 1, |) (resp. (|-|-1, |-|-2), . . . , (n— 1, n)). Then, any two 
elements chosen from Bi and (resp. Si and SA commute with each other. The 
decisional Dijfie- Heilman- type conjugacy problem in B„ is defined as follows. 

Given (a, wj^awi, w~^awu, x^xJ^axixA^ distinguish x~^xj^axixu and 
w~^wj^awiwu, where a G wi,xi G Bi, and Wu,Xu G 
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{F,fik) {BtBu,P) StSu 

I I I 

K ^ — > H I — > C 

I I I 

N I — > PiPu I — > ISfSu 



Fig. 2. Correspondences among groups 



This problem is used as an underlying problem of a public-key encryption [13], 
pseudorandom number generator, and pseudorandom synthesizer [15]. Gennaro 
and Micciancio [10] proposed how to solve it for some parameters. We supplement 
their attack with quantifying the success probability of their adversary. The 
adversary is described as follows. 

A : “On an input (a, w^^aw£, w~^awu, x~^xj^axtxu) 

where a G Bn\Pn, W£,xe G Be, and G 

1. find any 6 £ Se such that 6~^TTa9 = Tr{w^^awe)-, 

2. output 1 if Tr{x~^xJ^axeXu) = 9~^Tr{w~^aWu)6, and 0 otherwise.” 

Define BeBu = {xy \ x £ Be,y £ S„} and SeSu = {toj \ t £ Si,uj £ S'„}. 
Then they are subgroups of and S'„, respectively. Let C = ZsiSui'^a)- 
Since 9 (at Step 1) can be easily and perfectly computed and such 9 satisfies 
9~^TT{w~^aWu)9 = TT{w~^wJ^aweWu), the success probability equals 

Pr[A{a,wJ^awe,w~^aWu,X~^aX) = 0] = Pr[7r(X) ^ CTr{weWu)], (7) 
where X is a random variable over BeBy^. 

Deciding Whether Right-Invariance Is Allowable or Not. Restricting tt 
defined on to BeBy induces another natural projection tt : BeBy SeSy. 
Define H = 7f“^(C') and PePy = ker(7r). See Fig. 2. Then H is a subgroup 
of BeBy, Pr[7r(A) ^ CTT{weWy)\ = Pr[A ^ HweWy], and PePy is a normal 
subgroup of BeBy contained in H. Define B as the cr-algebra in BeBy generated 
by all cosets of PePy Then H £ B and B is both left- and right-closed. Since 
[BeBy : Mg] = [BeBy : PePy\ = ((f)O^ is finite, we can use right-invariance 
property in order to compute the success probability Pr[A ^ HweWy]. 

Computing the Success Probability. Let F = F’dxi, . . . , a:„/ 2 -i) s;„/ 2 +ii • ■ • ) 
Xn-i}) be a free group. Then, there is a natural projection (j) : F ^ BeBy de- 
fined by Xi ^ (Ji- Let K = and N = (j)~^{PePy). See Fig. 2. Let F be 

the cr-algebra in F generated by all cosets of X . Since iV is a finite-index normal 
subgroup of F and Mj: = N , can be used on {F, F) for right-invariance. 

Define a set function P : B ^ [0, 1] by P{E) = for all E £ B. 

Since F = {<p~^{E) [ E £ B}, P is a probability measure on (BeBy,B). Let the 
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random variable X in (7) induce P. Then, Pr[AT ^ HwfWu] = 1 — P{HwiWu)- 
On the other hand, from the definition of P and (5) 

\P{HwtWu) - [BiBu : H]-^ \ = \fik{K(l)-\wtWu)) - [K : N]/[F : fV]| = 

Therefore, the success probability of the adversary is 

1 - [BiBu : H]-^ - o(e-'=) < 1 - P{HweWu) < 1 - [B^Bu : H]~^ + o(e-'=). 

Note that [BfB^ : H] = [5'^S'u : C] and C = Zs^Sui'^a)- So [B^B^ '■ H] can be 
evaluated if tTo is specified. For all a G its upper bound is (n/2)!^, and 

lower bound is n{n — 2)/8 for n > 10 from the following theorem. 

Theorem 4. If a G <S'n\{ls„}> Zs^Sui^) a proper subgroup of S^Su for n > 6. 
Precisely, 

( n{n — 2) /8 for n > 10, 

[S'^S'u : ZsiSuio:)] ^ 1 3 forn = 8, 

I 2 for n = 6. 

Proof. Let a G Sn, and let ai, . . . ,as be disjoint cycles in S'„ such that 

( Si for 1 < z < ti, 

a = ai ■ • • as and ai G i Sn\SiSu for ti < i < 

[ Su for tu <i < s, 

for some 0 < ti < tu < s. Let 

ai = a\ - ■ ■ atf, G Si, o; = at^_l_i • • • G (Sn\SiSu) U {Ig^}, = 0(^+1 ■ ■ ■ agG Su- 

For every 1 < z < s, let ctj = . . . , J with ko = 0. Then 

ct = (cZl , ■ . . , Clki ) (Ofci-l-1 7 • • • ; tZfcj ) ■ ■ ■ (o-fes-i-l-l 7 • ■ ■ 7 ttfcs ) ■ 

Note that for any r G Sn, the cycle decomposition of rar”^ is as follows. 

roT"^ = (r(ai), . . . , T{ak,)){T{ak,+i), ■■■, T{akJ) ■ ■ ■ {T{ak,_,+i), ■■■, r(ofcj) 

Let T G ZsfSui'^)- Then . . . ,rasT~^ are disjoint cycles of a. If ai G 

Si, aj G Sn\SiSu, and ak G Su, then raiT~^ G Si, rajT~^ G Sn\SiSu, and 
TakT~^ G Su for all i,j,k. So raiT~^ = ai, Tar~^ = a, and ra„T“^ = a„. 
Namely, r G Zs^Sui^t) (o^u)- On the other hand, it is clear 

that ZsfsS^t) n ZsisS^u) C Z 5 ^s„(a). So 

Let a yf ls„, and let r = r^r„ G SiSu mean that ti G Si and r„ G S'„. 

Case 1. aiUu yf ls„: WLOG, let ai yf Is,^. Define I'l = |{1 < z < n/2 | a^(z) = 
z}| and li as the number of z-cycles of for 2 < z < zz/2. Then 

n/2 

\ZsAc^e)\ = 
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Table 1. Majdmum of \Zsi(ai)\ and minimum of : Zs({cu)] 



n 

2 


max. of \Zs^{ai)\ 


min. of [Se : Zse{ae)] 


number of cycles 


3 


3 


2 


C = 1, = 0 for fc 7^: 3 


4 


8 


3 


C = 2, = 0 for fc 7^ 2 


> 5 


2 X (f -2)! 


f(t-l) 


C = t - 2, C = 1, 4 = 0 for fc > 3 



Table 1 shows the maximum values of \Zs^{ai)\ and the corresponding val- 
ues of [Se : Zsfia^)] over ae G S'^\{ls„}. Since : Zs^s„(a)] > [S^Su : 

ZseSuicte)] = [Se : Zs^{ae)], for all a G S'„ such that a^au ^ ls„ 

( n{n — 2)/8 for n > 10, 

[SiSu- Zs^sS<^)] > ^3 forn = 8, 

I 2 for n = 6. 



Case 2. aiau = ls„: In this case, Zs^Sui^) = ’^StS-ui^)- Define 

Ai=^l<i < ^ I = < n \ a{i)y^i''^ , Ni = \Ai\, = |A„|. 

WLOG, we assume I < Nu < Ni < nj2. Note that for any r^r„ G ZsisS^)^ 
{{i,Ti{i)) I i G A£} is uniquely determined by {(i,r„(z)) | i G Au}. So 



I^SfS„(a)| < (2 





(n/2-l)|2 

(n/2)! 



if < n!2, 
if Nu = n/2. 



f (n/2 — 1)!^ if n > 8, 
(6 if n = 6. 



Therefore, for all a G iSn/jls^} such that a^au = ls„ 



[S'^S'u : ZsfSui<^)] > 



r {nj2)‘^ if n > 8, 
(6 if n = 6. 



From Cases 1 and 2, the conclusion follows. 



□ 



7 Conclusions 

We know that it is impossible to overestimate the role of the uniform distribution 
in cryptography. However, no infinite group has such a nice distribution. Noticing 
that this fact is an impediment to the use of infinite groups for cryptography, this 
paper has formalized the notion of right-invariance on an infinite group which in 
a sense corresponds to the uniform distribution on a finite set, and then shown 
when and how this notion can be used for infinite-group-based cryptography. 
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Our work is a first attempt to formalize and resolve probability-theoretic 
problems arising in the process of using inhnite groups for cryptography. Al- 
though our work cannot resolve all the problems, we hope that it contributes to 
widening the scope of what provably secure cryptosystems can be built on. We 
close this paper with the following research topics. 

— Find different types of alternatives to the universally right-invariant proba- 
bility measure from ours. 

— Find more various examples of practical problems which right-invariance can 
resolve in cryptography. 

— For complex problems (e.g. proving security of a cryptosystem), discover, 
formalize, and solve its constituent problems other than right-invariance. 
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Appendix: Cayley Graph 

The Cayley graph C{G, X) of a group G with a generating set AT is a graph such 
that the vertices are in one-to-one correspondence with the group elements and 
there is a (directed) edge from the vertex labelled by v to the vertex labelled by 
vx for each v G G and x € X U X~^ . So if G is an infinite group, its Cayley 
graph is also an infinite graph. The Cayley graph is a metric space by defining 
the length of each edge to be the unit length. The distance between two vertices 
V, w in the Cayley graph is exactly the shortest word-length of v~^w with respect 
to the given generating set. 
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Abstract. We present new results in the framework of secure multi- 
party computation based on homomorphic threshold cryptosystems. We 
introduce the conditional gate as a special type of multiplication gate 
that can be realized in a surprisingly simple and efficient way using just 
standard homomorphic threshold ElGamal encryption. As addition gates 
are essentially for free, the conditional gate not only allows for building 
a circuit for any function, but actually yields efficient circuits for a wide 
range of tasks. 



1 Introduction 

Homomorphic threshold cryptosystems provide a basis for secure multiparty 
computation in the cryptographic model [FH96, JJOO, CDNOl, DN03]. For a given 
n-ary function /, one composes a circuit C of elementary gates that given encryp- 
tions oi xi, . . . ,Xn on its input wires, produces an encryption of /(xi, . . . , x„) on 
its output wire. The elementary gates operate in the same fashion. The wires of 
the entire circuit C are all encrypted under the same public key; the correspond- 
ing private key is shared among a group of parties. It is customary to distinguish 
addition gates and multiplication gates. Addition gates can be evaluated without 
having to decrypt any value, taking full advantage of the homomorphic property 
of the cryptosystem. Multiplication gates, however, require at least one thresh- 
old decryption to succeed even for an honest-but-curious (passive) adversary. 
To deal with a malicious (active) adversary, multiplication gates additionally 
require the use of zero-knowledge proofs. 

While the result of [FH96] covers the case of a passive adversary only, an inter- 
esting feature is that it covers both the two-party case (n = 2) and the multiparty 
case (n > 2) in a uniform way. The later papers [JJOO, CDNOl, DN03] do cover 
an active adversary, but only consider the multiparty case. In the present paper, 
we are particularly interested in extending the use of homomorphic threshold 
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cryptosystems to the two-party case. We observe that solutions based on ho- 
momorphic threshold cryptosystems can be used just as well in the two-party 
case. To cover fairness, however, an additional protocol is needed that allows two 
parties to jointly decrypt the outputs in a gradual fashion. We present such a 
protocol by showing how to adapt the decryption step of a homomorphic thresh- 
old cryptosystem. 

A major advantage of secure multiparty computation based on homomor- 
phic threshold cryptosystems is the fact that it results in particularly efficient 
solutions, even for active adversaries. The communication complexity, which is 
the dominating complexity measure, is 0{nk\C\) bits for [JJOO, CDNOl, DN03], 
where n is the number of parties. A: is a security parameter, and \C\ is the number 
of gates of circuit C. A more detailed look at the performance of these solutions 
reveals, however, that there is considerable room for improvement in several 
respects. 

It is assumed in [JJOO, CDNOl, DN03] that the shared key for the homomor- 
phic threshold cryptosystem used in the multiparty protocol is already given. 
As a consequence, the communication complexity of 0{nk\C\) bits does not 
include the communication needed for the distributed key generation (DKG) 
protocol of the underlying threshold cryptosystem. However, the performance 
of the DKG protocol is an issue since we envision a system supporting ad hoc 
contacts among a large group of peer users, where any pair of users may de- 
cide to engage in a secure two-party computation for a dynamically agreed upon 
function. For example, “profile matching” is an application in which two users 
jointly test whether some function of their (personal) profiles exceeds a given 
threshold, without divulging any further information on their profiles. In this 
scenario, it is unreasonable to assume that each pair of users shares a specific 
key pair for the underlying threshold cryptosystem. Instead, each time two users 
want to perform a two-party computation, they would need to run the DKG 
protocol first. 

In this respect, an advantage of the Mix and Match approach of [JJOO] is its 
applicability to any discrete log setting, whereas [GDN01,DN03] depend criti- 
cally on an RSA-like setting (e.g., using Paillier’s cryptosystem). The advantage 
is that DKG protocols for discrete log based cryptosystems are efficient and 
relatively simple (see [Ped91, GJKR99]). In particular, DKG can be achieved 
practically for free in the two-party case. This contrasts sharply with the known 
protocols for distributed generation of a shared RSA modulus. Briefly, for the 
two-party case (without a helper party), Gilboa [Gil99] reports a communica- 
tion complexity of about 42MB (or 29MB for a slightly optimized version) for 
generating a shared 1024-bit RSA modulus, while covering passive adversaries 
only. And, for the multiparty case, the results of [AGS02] show what is currently 
achievable, also covering passive adversaries only. 

Interestingly, it is actually possible to combine the benefits of a discrete log 
setting and an RSA-like setting, as demonstrated recently in [DJ03]. To this end, 
one uses an amalgam of the ElGamal cryptosystem and the Paillier cryptosystem 
(such a combination has also been presented in the full version of [GS02]). A 
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system supporting ad hoc contacts may then be set up by jointly generating a 
single RSA modulus (between as many parties as deemed necessary, e.g., using 
a robust version of [ACS02]). A discrete log based DKG protocol will suffice 
to generate a shared key between any two users. We do note however that the 
security of the resulting system relies on both a discrete log related assumption 
and a factoring related assumption, which is undesirable from a theoretical point 
of view. 

In this paper, we will focus on a solution for which the security depends 
on the standard decisional Diffie-Hellman (DDH) assumption. As a consequence 
our protocols can be implemented using elliptic curves, for which the security is 
assumed to be exponential as a function of the security parameter rather than 
sub-exponential (as for RSA, for example). The Mix and Match approach of 
[JJOO] is also secure under DDH, but we note that the resulting protocol for 
evaluating multiplication gates is — despite its conceptual simplicity — quite inef- 
ficient. We will show how to evaluate multiplication gates in a much simpler way, 
such that the computational effort decreases by at least one order of magnitude 
(that is, a ten-fold speed-up is achieved, see Section 3.3). On the other hand, a 
disadvantage of our approach is that, in general, the round complexity is 0{nd) 
for n parties and circuit depth d= d{C), versus 0{n+d) for Mix and Match. For 
two-party computation, however, the round complexity is 0{d) in both cases, 
and more generally for small n the gain in computational efficiency outweighs 
the increased round complexity. 

The basis of our approach is formed by the conditional gate, a special multipli- 
cation gate which we show to be efficiently implementable under DDH. Basically, 
a conditional gate allows us to efficiently multiply two encrypted values x and y, 
as long as x is restricted to a two-valued domain, e.g., x e {0, 1}. We emphasize 
that the value of y is not restricted, e.g., we may have y G Zg, where 5 is a large 
prime. This property can be exploited when designing circuits for specific func- 
tions. For example, from the formula (yg, j/() = (yg — x(yg — yi),yi +x(yg — yi)), 
with a; G {0, 1}, one sees that a conditional swap gate, swapping any two values 
in Zg depending on the value of x, can be obtained using a single conditional 
gate. We will indicate that, using ElGamal, one cannot expect to achieve a mul- 
tiplication gate for which both inputs are unrestricted. Note, however, that the 
result of [GDNOl] shows that multiplication of two unrestricted values can be 
achieved efficiently under a factoring related assumption. 

Overview. Throughout the paper we will describe the results in a general set- 
ting of n-party computation, n > 2, although we are mainly interested in the 
two-party case. In Section 2, we review the basics for homomorphic threshold 
ElGamal. In Section 3, we introduce the conditional gate as our elementary mul- 
tiplication gate, and we show how it can be used to achieve xor-homomorphic 
ElGamal encryption efficiently. In Section 4, we then consider the secure eval- 
uation of arbitrary circuits, following [GDNOl], which we extend with a new, 
non-interactive protocol for achieving private outputs. Furthermore, we propose 
an efficient protocol for achieving fairness in the two-party case. In Section 5, 
we show that particularly efficient circuits can be built for basic operations such 
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as integer comparison, paying special attention to Yao’s well-known millionaires 
problem in Section 5.2, for which we obtain a solution requiring 12m exponenti- 
ations for m-bit integers. Finally, in Section 6, we conclude with future work and 
give an example of a more advanced application which we call ‘profile matching’. 



2 Preliminaries on Homomorphic Threshold ElGamal 

Discrete Log Setting. Let G = (g) denote a finite cyclic (multiplicative) group of 
prime order q for which the Decision Diffie-Hellman (DDH) problem is assumed 
to be infeasible: given g°‘^g^ ^g'^ G, it is infeasible to decide whether 0/3 = 7 
(mod q) . This implies that the Diffie-Hellman (DH) problem, which is to compute 
^a/3 gjygjj g°",g^ &R G, is infeasible as well. In turn, this implies that the Discrete 
Log (DL) problem, which is to compute logg h = a given g°" Gr G, is infeasible. 

Homomorphic ElGamal Encryption. For public key h € G, a, message m € Zq 
is encrypted as a pair (a,b) = (g"^ , g^h'^), with r €r Zg. Encryption is addi- 
tively homomorphic: given encryptions {a,b), {a',b') of messages m,m', respec- 
tively, an encryption of m -I- to' is obtained as (a, 6) * {a\b') = (aa',bb') = 

^gr+r' ^gm.+m.'hr+r’'^^ 

Given the private key a = logg ft., decryption of (a, 6) = (g’’,g’”ft'’) is per- 
formed by first calculating b/a°^ = g”^ , and then solving for m Gljq. In general, 
this is exactly the DL problem, which we assume to be infeasible. The way out 
is to require that message to is constrained to a sufficiently small set M C Zg.^ 
In this paper, the cardinality of M will be very small, often \M\ = 2. 

Homomorphic ElGamal encryption is semantically secure assuming the in- 
feasibility of the DDH problem. Throughout the paper, we use |to] to denote 
the set of all ElGamal encryptions of to under some understood public key ft, 
and, frequently, we also use |to] to denote one of its elements. More formally, 
using that |0] is a subgroup of G x G, |to] is the coset of |0] in G x G containing 
encryption (1, g™). Hence, encryptions (a, ft) and (o', ft') belong to the same coset 
iff logg(a/a') = log/j(ft/ft'). Lifting the operations on the direct product group 
G X G to the cosets, we thus have, for x,y G Zg, that |x] x |y] = |x -I- y], and 
|xp = Ixy], where (a, ft)'” = (a'^,b^) for c G Zg. Hence, |a;] * = \x — ?/]. 

Addition and subtraction over Zg and multiplication by a publicly known value 
in Zg can thus be performed easily on encrypted values. These operations are 
deterministic. Another useful consequence is that any encryption in |a;] can be 
transformed into a statistically independent encryption in |a;] by multiplying it 
with a uniformly selected encryption in |0] ; this is often referred to as “random 
re-encryption.” 

Pedersen Commitment. Given ft' G G, a Pedersen commitment to to G Zg is a 
value ft = g’^h'^, with r GR^q. The commitment is opened by revealing to and r. 



^ For intervals M, the Pollard-A (“kangaroo”) method runs in 0(\/|M|) time using 
0(1) storage. 
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Pedersen’s scheme is unconditionally hiding and computationally binding, under 
the assumption that log^ h' cannot be determined. The commitment scheme 
is also additively homomorphic, and we will sometimes use ((m)) to denote a 
commitment to message m, where the randomization is suppressed. 

S -Protocols. We briefly mention a few facts about T'-protocols. A A-protocol 
for a relation R = {(z;,^)} is a three-move protocol between a prover and a 
verifier, where the prover does the first move. Both parties get a value v as 
common input, and the prover gets a “witness” w as private input, (v,w) € R. 
A A-protocol is required to be a proof of knowledge for relation R satisfying 
special soundness and special honest-verifier zero-knowledge. See [CDS94] for 
details. 

We need some well-known instances of A-protocols. The simplest case is 
Schnorr’s protocol for proving knowledge of a discrete log a, on common input 
a = g°^, and Okamoto’s variant for proving knowledge of ot,(3, on common input 
a = g°^h^ . Another basic case is Chaum-Pedersen’s protocol for proving knowl- 
edge of a, on common input (a,b) = which is a way to prove that 

(a, b) G |0] without revealing any information on a. Applying OR-composition 
[CDS94], these basic protocols can be combined into, for instance, a A-protocol 
for proving that (a, b) G |0]U|1], where the common input is an ElGamal encryp- 
tion (a, b). The latter protocol thus proves that the message encrypted (which is 
an element of Z^) actually is a “bit”, without divulging any further information 
on the message. 

For simplicity, we will use the non-interactive versions of these A-protocols, 
which are obtained via the Fiat-Shamir heuristic, that is, by computing the 
challenge as a hash of the first message (and possibly other inputs). The resulting 
proofs are known to be secure in the random oracle model; in particular, we will 
use that these proofs can be simulated. 

Threshold ElGamal Decryption. We use a (f -I- 1, n)-threshold FlGamal cryp- 
tosystem, 0 < t < n, in which encryptions are computed using a common public 
key h (as above) while decryptions are done using a joint protocol between 
n parties Pi, . . . , P„. Fach party Pi holds a share ai G Zg of the private key 
a = logg h, where the corresponding value hi = is public. As long as more 
than t parties take part, decryption will succeed, whereas t or less parties are 
not able to decrypt successfully. 

The parties initially obtain their shares by running a secure distributed 
key generation protocol; see [Ped91, GJKR99] for details. We note that these 
protocols are practical (the communication complexity is O(n^fc) bits for security 
parameter k, where the hidden constant is small). For the two-party case {t = 1, 
n = 2), we briefly describe a (non-robust) distributed key generation protocol in 
the spirit of [GJKR99]. The protocol consists of two steps. In the first step, party 
Pi, i = 1,2, broadcasts a Pedersen commitment bi = with ai,ri €r Zg 

along with a proof of knowledge for Oj, ri. In the second step, party Pi, i = 1,2, 
broadcasts ri along with a proof of knowledge of logg hi, where hi = bi/h’''\ The 
joint public key is h = h\h 2 , with private key a = q;i-|-q; 2 - Glearly, this protocol is 
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very practical. In many cases, it may even be replaced by the trivial one-round 
protocol in which both parties broadcast hi = g°‘* and a proof of knowledge 
of ai- Although the trivial protocol allows one of the parties to influence the 
distribution of the public key h slightly, this need not be a problem for the 
application in which the key is used; see [GJKR03] for more details. 

For decryption of (a, b), party Pi, i = 1, ... ,n, produces a decryption share 
di = a“‘ along with a proof that log^j di = logg hi. Assuming w.l.o.g. that parties 
Pi,... ,Pt+i produce correct decryption shares, the message can be recovered 
from = b/a°‘, where a“ is obtained from di,. . . ,dt+i by Lagrange interpo- 
lation. Assuming homomorphic ElGamal, m & M will hold for some small set 
M; if such m cannot be found decryption fails. Also, if fewer than t -|- 1 parties 
provide a correct decryption share, decryption fails. 

For later use in the proof of Theorem 1, we note that the threshold decryption 
protocol can be simulated for any input (a, b) G |m], provided message m G Zq 
is given as well. Assume w.l.o.g. that parties P\, . . . ,Pt are corrupted, hence col- 
lectively form the adversary. The simulator first extracts the shares a\,...,at 
of the adversary, by rewinding the proofs of knowledge based on these shares. 
(The parties prove knowledge of their shares during the distributed key gener- 
ation protocol.) The simulator then computes a“ = 6 / 5 ™ from b and m. The 
simulator then computes the correct decryption shares for the corrupted parties 
as a“L . . . ,a“*, which enables the computation of the decryption shares for the 
honest parties by Lagrange interpolation on a“, a“L . . . , a“*. The corresponding 
proofs of correct decryption are simulated for the honest parties. For the cor- 
rupted parties, the decryption shares and the proofs of correct decryption are 
obtained from the adversary, running it as a black box; possibly some of these 
shares are wrong and/or some of the proofs fail, but these values are included 
in the output of the simulator anyway. The simulation is then completed by 
recovering the message as in the real protocol, possible ending with a decryption 
failure. As a result, the simulated transcript is consistent with the view of the 
adversary and statistically indistinguishable of real transcripts. 



3 Special Multiplication Protocols 

The results of the previous section imply that a function / can be evaluated 
securely in a multiparty setting if / can be represented as a circuit over Zg con- 
sisting only of addition gates and simple multiplication gates. Here, an addition 
gate takes encryptions |x] and |y] as input and produces |a;] * |?/] = |a; -I- y] 
as output, and a simple multiplication gate takes |a;] as input and produces 
|x]'^ = |ca;] as output, for a publicly known value c G Z,. To be able to handle 
any function /, however, we need more general multiplication gates for which 
both inputs are encrypted. 

In this section, we consider two special multiplication gates. If no restric- 
tions are put on x or y, a, multiplication gate, taking |x] and |y] as input and 
producing \xy\ as output efficiently, cannot exist assuming that the DH problem 
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is infeasible.^ Therefore, we consider two special multiplication gates, putting 
some restrictions on the multiplier x. The first gate requires that the multiplier 
X is private, which means that it is known by a single party. The second gate, 
referred to as the conditional gate, requires that the multiplier x is from a di- 
chotomous (two- valued) domain. As a direct application of the conditional gate, 
we also consider xor-homomorphic encryption based on ElGamal encryption. 

3.1 Multiplication with a Private Multiplier 

We present a multiplication protocol where the multiplier x is a private input 
rather than a shared input. That is, the value of x is known by a single party 
P. No restriction is put on the multiplicand y. Multiplication with a private 
multiplier occurs as a subprotocol in the protocol for the conditional gate and 
in other protocols further on in the paper. 

Given encryptions |x] = (a, 6) = {g'",g^h'") and |?/] = (c,d), where party 
P knows r, x, party P computes on its own a randomized encryption |x?/] = 
(e, /) = (5®, /i®) * |y]“, with s Gr Zq, using the homomorphic properties. Party 
P then broadcasts |x?/] along with a proof showing that this is the correct output, 
which means that it proves knowledge of witnesses r,s,x G satisfying a = g'" , 
b = g^h^, e = g^c^, f=h^d^. 

For later use, we need to be able to simulate the above protocol. The simulator 
gets as input |x] and |t/], and a correct output encryption |xj/], but it does 
not know x. As a result, the simulator only needs to add a simulated proof of 
knowledge. The simulated transcript is statistically indistinguishable from a real 
transcript. 

Below, we will also use a variation of the above protocol, where the private 
multiplier x is multiplied with several multiplicands yi at the same time. Fur- 
thermore, we note that often a slight optimization is possible by using a Pedersen 
commitment {{x}) = g^h'"^ instead of an ElGamal encryption |x] = (g^,g^h^) for 
the multiplier. 

3.2 Conditional Gate 

Next, we consider a multiplication gate for which the multiplier x is from a 
dichotomous (two-valued) domain, whereas the multiplicand y is unrestricted. 
We call it the conditional gate, and show how to implement it by an efficient 
protocol, using just homomorphic threshold ElGamal. We will formulate the 
conditional gate for the dichotomous domain {—1, 1}.^ 



^ Given ,g^ we form encryptions |a;], |j/| and feed these into the multiplication gate. 
The gate would return an encryption [a;{/|, which would give g^^ upon decryption. 

® Domain {0,1} or any other domain {a,b}, a ^ b, can be used instead, as these 
domains can be transformed into each other by linear transformations: xi-^a'-|- 
ip' — a')(x — a) / {b — a) maps {a, 6} to {a',b'}. These transformations can be applied 
directly to homomorphic encryptions, transforming |a;] with x € {a, b} into |a;'] with 
x' G {a',b'}. 




126 B. Schoenmakers and P. Tuyls 



Let |x], ly] denote encryptions, with x G {—1,1} C Zq and y G Zq. The 
following protocol enables parties Pi, , Pn, n > 2, to compute an encryption 
\xy\ securely. For simplicity, we assume that these parties also share the private 
key of the {t + 1, n)-threshold scheme |-], where t < n. The protocol consists of 
two phases. 

1. Let xo = X and yo = y. For i = 1, . . . , n, party Pi in turn takes and 

as input, and broadcasts a commitment ((sj)), with Si Gr {—1,1}. 
Then Pi applies the private-multiplier multiplication protocol to multiplier 
((sj)) and multiplicands and yielding random encryptions |xi] 

and l^i], where Xi = SiXi-i and yi = Siyi-i. If Pi fails to complete this step 
successfully it is discarded immediately. 

2. The parties jointly decrypt |x„] to obtain a;„. If decryption fails because 

the number of correct shares is insufficient, the entire protocol is aborted. If 
decryption fails because ^ {—1,1}, each party Pi is required to broadcast 
a proof that Si G {—1, 1}. Parties failing to do so are discarded, and the 
protocol is restarted (starting again at phase 1). Given Xn and |yn], an 
encryption is computed publicly. 

The output of the protocol is |a:„j/„]. Clearly, if all parties are honest, Xnyn = 

(nr=i s^f^V = ^y- 

Any party may disrupt the protocol for at most one run of phase 1 by picking 
a value Si outside the range { — 1,1}. Note that we do not need to require that 
each Si is in { — 1, 1} in phase 1. For instance, parties P± and P 2 may cheat by 
setting Si = 2 and S 2 = 1/2. Since S 1 S 2 = 1, this type of “cheating” will go 
unnoticed in phase 2 if all other parties are honest. However, the security of the 
protocol is not affected by such “cheating.” For t < n/2, the protocol is robust, 
allowing up to t failing parties in total (as the threshold decryption step tolerates 
up to t failing parties). For n/2 < t < n, the protocol is not robust, but we will 
see from Theorem 1 below that the adversary does not get an advantage in this 
case. 

The protocol requires a single threshold decryption only. Since Xn G {—1, 1} is 
required to hold, decryption is feasible for the homomorphic ElGamal encryption 
scheme. As the value of is statistically independent of x, the value of Xn does 
not reveal any information on x. This is stated in the following theorem, which 
holds for up to t < n corrupting parties. 

Theorem 1. On input |x], |j/] with x G {—1, 1} C Zq and y G the above 
protocol produces \xy\, without leaking any additional information on x and y. 

Proof. The soundness of the proofs in phase 1 of the protocol ensures that = 
X nr=i Vn = y n”=i since it is checked in phase 2 that Xn G {—1, 1}, it 

follows from x G {—1, 1} that 0^1 ^ as well. Therefore, = xy. 

To argue that no additional information on x and y is leaked we present the 
following simulation of the protocol. The simulation takes as input encryptions 
Wj [ 2 /]; ^nd |a;t/]. Given this information, the simulator is able to generate a 
complete transcript for the protocol, for which the distribution is exactly the 
same as in real executions of the protocol. If |a;t/] is not available, it may be 
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replaced by a random encryption in |0], as done in [CDNOl-Theorem 1]. Since 
the simulator below does not use the shares of the honest parties to simulate 
decryptions, the simulated transcripts will be indistinguishable (under DDH) 
from real transcripts for any adversary controlling up to t parties. 

Assume that parties Pi, ... ,Pt are corrupted, hence collectively form the ad- 
versary (the simulator is easily adapted for other sets of corrupted parties). The 
simulator lets the adversary run phase 1 of the protocol for parties Pi, ... ,Pt, 
each time rewinding the proofs of knowledge used in the private-multiplier mul- 
tiplication protocol to extract the values si, . . . ,st; if a party fails to provide a 
correct proof it is discarded. Subsequently, the simulator runs phase 1 for parties 
Pt+i, . . . , Pn-i as in the real protocol, leaving |a;„_i], with x„_i = si • • • Sn-ix, 
as intermediate encryption. For party however, the simulator picks €r 
{—S', S}, where S = Ilfci Si, and it computes a commitment ((s(jX„_i)) and an 
encryption from and |xy], respectively. Writing s„ = s'^Xn-i, the 

simulator then simulates the private multiplier multiplication protocol for mul- 
tiplier ((s„)) and multiplicands |x„_i], |j/n-i] and outputs |s(j], which 

are the correct outputs since s'„ = s„x„_i and s'„xy = s'„Xn-iyn-i = Sn2/n-i- 

The output of phase 1 consists of encryptions |s(,] and By construc- 

tion, the simulator is able to perform the decryption in phase 2 itself, producing 
s(j G {— S, S} as output. The simulator for the threshold decryption protocol 
is used for encryption |s(,] using s(j as an additional input (see Section 2). If 
decryption fails due to an insufficient number of correct decryption shares, the 
simulation stops, as in the real protocol. If S ^ {— 1,1}, decryption fails and a 
proof that Si G { — 1, 1} is generated for each party Pi, by letting the adversary 
do this for parties Pi, . . . ,Pt (of which at least one fails) , running the real pro- 
tocol for parties Pt+i, • . ■ , F’n-i, and using a simulation for P„. After discarding 
the failing parties among Pi, . . . , Pt, the simulation is continued by simulating 
another run of phase 1. 

Finally, the simulator computes the encryption = |x?/], which is 

clearly the correct output. □ 

If the total number of parties is large compared to the total number of condi- 
tional gates to be evaluated, an alternative way to guarantee robustness is to let 
the parties use encryptions |si] instead of commitments ((s*)) in phase 1. Again, 
if Xn ^ (—1, 1} in phase 2, all parties are required to prove that Si G (—1, 1}. 
Failing parties are discarded and their Si values are decrypted to correct the 
value of Xn. 

The performance of the protocol is as follows (analyzing the case that no 
party is cheating). The performance is determined by the communication com- 
plexity (in bits) and the round complexity. In phase 1 each party applies the 
private-multiplier multiplication protocol, broadcasting about 10 values. For de- 
cryption each party broadcasts 3 values at the most. Hence, the communication 
complexity is 0{nk) where the hidden constant is very small. In general, the 
round complexity is 0{n), which is high, but in case of two-party computation 
it is 0(1). Also, when many conditional gates are to be evaluated in parallel. 
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one may take advantage of the fact that the order in which parties P\, . . . , Pn 
execute phase 1 of the conditional gate protocol can be chosen arbitrarily. 

3.3 XOR-Homomorphic ElGamal Encryption 

As a direct application of the conditional gate, we obtain an xor-homomorphic 
ElGamal encryption scheme. (The converse problem of constructing (Zg,+)- 
homomorphic schemes, q > 2, from xor-homomorphic schemes, such as the 
Goldwasser-Micali cryptosystem [GM84], is considered in [KMOOl].) 

Given |a;], |y] with x,y G {0, 1}, |a; 0 y] is computed as follows, using one 
threshold decryption (cf. footnote 2): 

1. Publicly convert |a;] to |x'] with x' = 2x — 1 € {—1, 1}. 

2. Apply the conditional gate to |a;'] and |y] to obtain \x'y\. 

3. Publicly compute \x — x'y\, which is equal to |x 0 j/]. 

The work per party is very limited, about 13 exponentiations for each con- 
ditional gate. In contrast, the Mix and Match approach of [JJOO] would require 
each party to mix the 4 rows of a truth table for a; 0 y in a verifiable way (Mix 
step, requiring 24 exponentiations for blinding the entries and, say, 6 x 12 ex- 
ponentiations for the correctness proof, using the efficient protocol of [Gro03]), 
and perform on average 4 plaintext equality tests to find \x 0 y] given |x] and 
|y] (Match step, requiring 4x7 exponentiations). Hence, the conditional gate 
provides approximately a ten-fold improvement, counting exponentations. 

4 Circuit Evaluation 

In this section, we briefly describe a protocol for evaluating a given circuit com- 
posed of elementary gates. Recall that our elementary gates operate over Z^, 
except that the first input of a conditional gate is required to belong to a two- 
valued domain. It is clear that these elementary gates suffice to emulate any 
Boolean circuit. Specifically, any operator on two bits x,y € {0,1} C Zg can 
be expressed uniquely as a polynomial of the form oq + aix + a 2 y + a^xy with 
coefficients in Zg. Hence, any binary operator can be expressed using at most 
one conditional gate. 

The protocol operates in much the same manner as the protocol for circuit 
evaluation of, for instance, [GDNOl]. For convenience, we assume that the parties 
Pi, . . . , Pn evaluating the circuit are exactly the same as the parties for which 
the (t 0 1, n)-threshold cryptosystem has been set-up, where t < n. The circuit 
is then evaluated in three phases: 

1. The parties encrypt their inputs using the homomorphic cryptosystem |-], 
and the parties are required to provide a proof of knowledge for their inputs, 
and possibly that the inputs belong to a dichotomous domain. 

2. The parties then jointly evaluate the circuit gate-by-gate. Gonditional gates 
at the same depth of the circuit are evaluated in parallel. 

3. Finally, the parties jointly decrypt the outputs of the circuit. 
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As described in the previous section, parties failing at some stage in the 
protocol are discarded immediately. As long as no more than t < n/2 parties 
fail in total, the protocol will complete and all parties will learn the output. The 
case of n/2 < t < n will be discussed below. 

The formal security analysis of [CDNOl] can be adapted to show that our 
protocol is secure against a static, active adversary corrupting at most t < n 
parties, assuming the intractability of the DDH problem. This follows from the 
fact that we are able to simulate the multiplication protocols of Section 3 in 
a statistically indistinguishable manner, provided that the simulator for these 
protocols is given encryptions of the correct output values. We thus achieve the 
same level of security as [CDNOl]. The important difference is that [CDNOl] 
incorporates a general multiplication gate, for which they need an RSA-like 
cryptosystem such as Paillier’s cryptosystem to get an efficient multiplication 
protocol, while we incorporate a restricted multiplication gate, for which we have 
presented an efficient multiplication protocol using the ElGamal cryptosystem. 

4.1 Private Outputs 

In this section, we propose a new non-interactive protocol for achieving private 
outputs in the context of secure multiparty computation based on homomorphic 
threshold cryptosystems. Previous methods require the receiving parties to per- 
form some blinding step, as part of the decryption protocol. For our method, it 
suffices to know the public keys of the receiving parties. 

We need a different method than [CDNOl] to deal with private outputs any- 
way, since their method would require us to decrypt an ElGamal encryption of 
a random message in Z^. Suppose |m] is an encryption of a private output for 
party Pj, that is, output m is intended for party Pj only. Briefly, the method of 
[CDNOl] is to let party Pj first blind encryption |m] by multiplying it with a 
random encryption |r] for some r Gr Zg. The encryption |m-|-r] is then jointly 
decrypted, resulting in the value m' = m + r, from which (only) party Pj is 
able to compute m = m' — r. This method critically depends on the ability to 
decrypt arbitrary messages. Using an RSA-like cryptosystem, such as Paillier’s 
cryptosystem, this is no problem. Using ElGamal encryption, however, we can- 
not decrypt \m + r] (see Section 2) . A first way out is to adapt the ElGamal 
decryption step to output instead of m -I- r; the receiving party may divide 

this value by to obtain from which m may be determined, assuming m is 
from a small set. 

We note however that in general it is undesirable that interaction with the 
receiving parties is required to produce private outputs. Therefore, we present 
a protocol for which no interaction with the receiving party is required. The 
protocol runs as follows. Let (a, 6) G |m] be an output intended for party Pj 
and let hj = g°^^ denote Pj's public key. Recall from Section 2 that threshold 
decryption requires each party Pi to produce the value a“* along with a proof 
of correctness. We modify this step as follows, by releasing a“* encrypted under 
Pj's public key and adapting the proof of correctness accordingly: 
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1. Each party Pi outputs an encryption (ci,di) = (g’'y a“* ) with GnZq 
along with a proof that it knows satisfying 

h^ = g^\ Ci = g^\ = 

2. For decryption, party Pj first uses Lagrange coefficients A* to compute the 
following product for a set of t + 1 valid shares (c^, di): 

i 

Then Pj decrypts this product using its private key aj to obtain = 

a“. Party Pj then proceeds to recover g^ = bja°‘, from which it finds m 
assuming that m belongs to a relatively small, known subset of Z^. 

The protocol requires only a small amount of additional work compared to 
the basic protocol for decrypting public outputs, where each party Pi outputs 
a“* along with a proof of correctness (cf. step 1), from which anyone is then able 
to recover a^i = a“ using t+1 valid shares (cf. step 2). 

4.2 Fairness 

Recall that t denotes the maximum number of corrupted parties tolerated by the 
circuit evaluation protocol. For t < nj2, that is, the case of a dishonest minority, 
the protocol achieves robustness. We now extend the protocol to handle the 
two-party case t = l,n = 2 (which is a special case of a dishonest majority, 
n/2 <t<n). 

For the two-party case we give up on robustness, since one cannot prevent 
one of the parties from quitting the protocol prematurely. If a party chooses to 
do so, however, it should not gain any advantage from it. If a protocol achieves 
this property, the protocol is said to be fair. 

An important observation for the above circuit evaluation protocol is that 
neither party gains any advantage from quitting the protocol in phase 1 or 
phase 2 of the protocol. In particular, consider the case that party P 2 , say, 
chooses to quit during the threshold decryption step of a conditional gate, for 
which party P\ has already produced its decryption share. In that case, only 
P 2 learns the decrypted value but this value cannot possibly give P 2 an 
advantage, as follows from the simulation in the proof of Theorem 1. 

Therefore, to achieve fairness, we only need to protect the decryption of 
the output values. For this purpose, we will apply a protocol similar to that 
of [BSTOl]. In [BSTOI], however, the protocol steps for achieving fairness are 
intertwined with the original protocol steps, while in our protocol the additional 
steps for achieving fairness are strictly limited to the decryption of the output 
values. 

Let an encryption (a, b) be given. Recall that (2, 2)-threshold decryption, 
requires party Pi to provide di = a“% i = 1, 2, along with a proof that this value 
is correct w.r.t. the public key hi = g°^' of party Pi. Instead of directly revealing 
this value, we will release it gradually using the following protocol, where A: is a 
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security parameter, k < log 2 q, and h € {g) denotes an additional generator for 
which log^ h is unknown to parties Pi, P 2 ' 

1. For i = 1,2, party Pi chooses Gr {0, 1}, Gr Zq for j = 0, . . . , fc — 1 

subject to the condition that ai = - Party Pi then broadcasts 

the values dij = j = 0, . . . , k — 1 along with a proof that each 

eij G {0, 1} and a proof that rij=o = aP'h'^, where ai = log^ hi, for some 
value e. 

2. Set j = k — 1. Parties P\,P 2 repeatedly execute the following step. For 
i = 1,2, party Pi broadcasts values aij,eij. If these values verify correctly 
against dij, the value of j is decremented and the step is repeated if j >0. 

3. Once j = 0 both parties release Cio along with a proof of knowledge for a 
witness aio satisfying dioh~'^^° = 

4. Both parties are able to recover the missing value a“% as follows: 

At each stage of the protocol, either party is at most one bit ahead of the 
other party. If one sets k = 80, for instance, it is clearly infeasible for both parties 
to compute the missing value a“* at step 1, as it requires a search over 2*^ possible 
values for ■ • ■ ,£io- At each later step, the search space is reduced in size 

by a factor of two. 

The protocol does not leak any information on ai beyond what is implied 
by the output values a“b The protocol can be run in parallel for decrypting 
multiple outputs at the same time, and the protocol can be combined easily 
with our protocol for private outputs presented above. 

The above protocol achieves a basic level of fairness. In [Pin03] a strengthened 
notion of fairness for two-party computation is considered, which also addresses 
the case where one party may be considerably more powerful than the other 
party; the timed commitments used to resolve this problem, however, critically 
depend on the hardness of factoring. (The recent paper [GMY04b] describes a 
way to cover fairness in a universally composable way, for static adversaries. In 
particular, the result of [CDNOl] is extended to cover fairness as well, using a 
factoring related assumption to achieve timed commitments.) Apart from this 
difference, the result of [Pin03] is comparable to our result. The difference is 
that [Pin03] is based on Yao’s garbled circuit approach, while our approach is 
based on homomorphic threshold cryptosystems. In both cases, however, the 
changes to make the protocol fair are limited to the output stage, where some 
form of gradual release is used in combination with a method to ensure that 
commitments opened during gradual release indeed contain the correct output 
of the computation. 



5 Relational and Arithmetic Operators 

In this section we apply our set of elementary gates over Zg to obtain efficient 
circuits for basic operations such as integer comparison and integer addition. In 
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most cases, the inputs are required to be given by their binary representations. 
We consider the general case, in which the circuits operate on encrypted inputs, 
producing encrypted outputs, such that they can be used as building blocks in 
constructing circuits for more elaborate functions, either in a two-party setting 
or in a general multiparty setting. 

5.1 sgn(a; — y) 

Below, we present an efficient protocol for comparing two (non-negative) in- 
teger values X and y. The inputs are given as sequences of encrypted bits, 
|a;™_i],...,|a:ol and |y„^_i], . . . , |yol, with x = y = ^T=~o^ yi2\ 

The output of the protocol consists of an encryption |sgn(a; — y)], where sgn 
denotes the signum function: 

( -l,z< 0, 
sgnz = < 0, 2 = 0, 

[ 1, z > 0. 

Using that xf = Xi and yf = yi for Xi,yi G {0,1}, the general strat- 
egy is now to examine the unique multilinear polynomial p over Zg satisfying 
p{xt),...,Xm-i,yo,---,ym-i) = sgn(x - j/) for all x,y, Q < x,y < 2™. The 
problem that remains is to find an efficient circuit (or, equivalently, an oblivious 
evaluation order) for the polynomial p. 

As a first step, we consider the evaluation p = sq with 

1 — 0, — 1 — -t- (1 ^i)(^i 1/i)- 

Clearly, this results in the correct output value. However, we cannot evaluate 
the term sf by means of a conditional gate since Si is three-valued 
(si G { — 1,0,1}). This is easily resolved by introducing an auxiliary binary 
sequence u*, with Uj = 1 — sf: 

^m—l — 0, — Sj -t- Vii^Xi yi)^ 

Vm-l = 1, -Ci-1 =Vi- Vi{Xi - y,Y- 

Now, it is easy to draw up a circuit using 3m — 2 conditional gates (using 
that Sm-i = 0 and Vm-i = 1 are publicly known values, hence need not be 
encrypted) . 

We note that the bits may also be traversed in the opposite direction, starting 
at the least significant bit. This results in the following sequence, with s'^ as 
output: 

s'o = 0, s'+i = (1 - {xi - y^Y)s'^ + Xi- yi- 

This method only needs 2m — 2 conditional gates: per iteration, one condi- 
tional gate to compute Xiyi and one to subsequently compute (1 — {xi — yiY)s[ 
with 1 — (xj — yiY as dichotomous multiplier. Here we take full advantage of the 
fact that the conditional gate does not put any constraints on the multiplicand: 
whereas a Boolean circuit for sgn(a: — y) requires all intermediate values to be 
binary, our circuit uses non-binary intermediate values, such as the ternary s(’s. 
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5.2 X > y 

The output of X > y consists of one bit only, which is set to 1 if a; > y and to 0 
otherwise. Starting at the least significant bit, the output is given by tm, where 

^0 ^i+1 (f {Xi -t“ Vi) ■ 

This method requires 2m— 1 conditional gates. (For comparison we note that 
the best known circuit using only logical gates requires 5m binary gates, e.g. us- 
ing the circuit for Biggerk{X, Y) of [KO02]. Similarly, for computing Max{X, Y) 
given Biggerk{X,Y), 2m additional gates are required in [KO02], while we can 
compute the bits of z = max{x,y) by setting Zi = yi — tra{xi + yt), using only 
m additional conditional gates.) 

We now specialize this solution for x > y to obtain a solution for Yao’s basic 
millionaires problem [Yao82]. In this case, the protocol is run by two parties, pro- 
viding X and y respectively as private inputs. This allows for a much more efficient 
solution, as the conditional gates can all be replaced by the private-multiplier 
gates of Section 3.1. The private-multiplier gates can be even optimized slightly 
by using Pedersen commitments instead of ElGamal encryptions, and using that 
the multipliers are binary. 

The total computational cost of our solution to Yao’s millionaires problem, 
including the cost of the distributed key generation and the decryption of the 
result, is dominated by the cost of about 2m private-multiplier gates (computing 
\ViU\ and \xi{ti — 2yiti — yi)\ as intermediate values), which require 6 exponenti- 
ations each, hence 12m exponentiations in total (starting at the least significant 
bit). To the best of our knowledge, this is the most efficient solution to date. 
Here, we cover the malicious case (unlike many other papers on the millionaires 
problem, that only deal with the semi-honest case, e.g., [FisOl, NNOl, IG03]), but 
we do not cover fairness. We also note that we do not need an auxiliary trusted 
party, as in [Gac99], although that paper achieves fairness as well at a relatively 
low cost. Finally, while most other solutions rely on an RSA-like assumption, 
our solution is secure under the standard DDH assumption. This is also true 
for the solution of [KO02], but their solution is much less efficient because their 
circuits are evaluated using the expensive Mix and Match gates of [JJOO]. 

5.3 X — y 

For testing equality of x and y, the following sequence can be used, where the 
output Ujn = 0 iff a; = y: 

Uq 0, (1 {Xi y^) T {Xi Pi) ■ 

The order in which the bits are processed is actually irrelevant. This method 
requires 2m — 1 conditional gates, returning the output bit in encrypted form. 

The socialist millionaires problem, a variant introduced by [JY96], is to eval- 
uate X = y for a, two-party setting, where x, y C '^q are the respective pri- 
vate inputs, and the output may be public. The currently best solution is due 
to [BSTOl], using only 0(1) exponentiations, hence without using the binary 
representations of x and y. We obtain a solution in a similar vein as follows. The 
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parties broadcast |x] and |t/], resp., and jointly form |r], where r €r Zq and 
neither of the parties knows r. Using the private multiplier gate, the parties then 
compute |(a; — y)r], which is jointly decrypted to obtain (rather than 

obtaining [x — y)r). If gU-y)'’ = then w.v.h.p. x = y, otherwise x ^ y. 

5.4 X + y and x * y 

Given |a;] , |y] , one obtains |x + y] directly using the homomorphic property. 
A nice application of the conditional gate is that |xy] can also be computed 
efficiently, if we assume that x is given in binary form. 

Given Iccm-il, ■ • ■ , |a^ol Etnd |t/], where y € Z^, one computes |xy] using that 
xy = Xi{y2'^). This method requires only m conditional gates, whereas a 

standard Boolean circuit would require 0{m?) bit multiplications. 

6 Concluding Remarks 

We envision a practical system supporting ad hoc contacts among a large group 
of peer users. Since efficient DKG protocols for (2, 2)-threshold ElGamal are 
easily achieved, our results show that any pair of users is able to engage in a two- 
party computation for evaluating some dynamically agreed upon function. For 
example, the circuits of the previous section lead to solutions for tasks of practical 
interest, such as profile matching, allowing two users with profiles (length m bit 
vectors) x and y, resp., to evaluate A{x,y) > T, where A{x,y) = i® 

an example similarity measure and T is a threshold. 

Further research is required for a full comparison with some recent approaches 
to secure (two-party) computation. For instance, an interesting approach is pre- 
sented in [GMY04a], which is based on committed oblivious transfer instead of 
homomorphic threshold encryption. The amount of work per gate is comparable 
to the work for a conditional gate, but the hidden constants for their approach 
are larger than in our case. This is partly due to the fact that their solution 
is designed to be universally composable, but remains true if their solution is 
‘downgraded’ to a protocol for static adversaries; per gate, one party uses 5 bit 
commitments and proves a number of relations for these commitments, followed 
by a (f) oblivious transfer. For a full comparison with [GMY04a], our solution 
needs to be ‘upgraded’ to a universally composable one, e.g., following the ap- 
proach of [DN03]. This would provide an interesting alternative, as the extension 
of [GMY04a] to the multiparty case requires each pair of parties to run their ba- 
sic two-party protocol for each multiplication gate, while with our approach the 
parties run a single joint protocol for each conditional gate. 

A well-known alternative to the gate-by-gate approach, is Yao’s garbled cir- 
cuit approach for two-party computation. The Fairplay system is designed to 
evaluate the practical merits of the garbled circuit approach, including some op- 
timizations that will pay off for sufficiently large circuits [MNPS04]. We expect 
a trade-off showing that the garbled circuit approach is best for large circuits 
whereas a gate-by-gate approach is best for small circuits, or rather circuits for 
which the number of inputs is proportional to the total number of gates. 
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Abstract. We study private computations in information-theoretical 
settings on networks that are not 2-connected. Non-2-connected networks 
are “non-private” in the sense that most functions cannot privately be 
computed on them. We relax the notion of privacy by introducing lossy 
private protocols, which generalize private protocols. We measure the 
information each player gains during the computation. Good protocols 
should minimize the amount of information they lose to the players. 
Throughout this work, privacy always means 1-privacy, i.e. players are 
not allowed to share their knowledge. Furthermore, the players are honest 
but curious, thus they never deviate from the given protocol. 

By use of randomness by the protocol the communication strings a 
certain player can observe on a particular input determine a probability 
distribution. We define the loss of a protocol to a player as the logarithm 
of the number of different probability distributions the player can ob- 
serve. For optimal protocols, this is justified by the following result: For 
a particular content of any player’s random tape, the distributions the 
player observes have pairwise fidelity zero. Thus the player can easily 
distinguish the distributions. 

The simplest non-2-connected networks consists of two blocks that 
share one bridge node. We prove that on such networks, communication 
complexity and the loss of a private protocol are closely related: Up to 
constant factors, they are the same. 

Then we study 1-phase protocols, an analogue of l-round communi- 
cation protocols. In such a protocol each bridge node may communi- 
cate with each block only once. We investigate in which order a bridge 
node should communicate with the blocks to minimize the loss of infor- 
mation. In particular, for symmetric functions it is optimal to sort the 
components by increasing size. Then we design a 1-phase protocol that 
for symmetric functions simultaneously minimizes the loss at all nodes 
where the minimum is taken over all 1-phase protocols. 

Finally, we prove a phase hierarchy. For any k there is a function such 
that every (fc — l)-phase protocol for this function has an information 
loss that is exponentially greater than that of the best fc-phase protocol. 
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1 Introduction 

Consider a set of players, each knowing an individual secret. They want to com- 
pute some function depending on their secrets. But after the computation, no 
player should know anything about the other secrets except for what he is able 
to deduce from his own secret and the function value. This is the aim of pri- 
vate computation (also called secure multi-party computation). To compute the 
function, the players can send messages to each other using secure links. 

An example for such a computation is the “secret voting problem”: The 
members of a committee wish to decide whether the majority votes for yes or 
no. But after the vote nobody should know anything about the opinions of the 
other members, not even about the exact number of yes and no votes, except for 
whether the majority voted for yes or no. 

If no group of at most t players can infer anything about the input bits that 
cannot be inferred from the function value and their own input bits, we speak 
of t-privacy. 

Any Boolean function can privately (in the following we identify privately 
with 1-privately) be computed on any 2-connected network. Unfortunately, there 
are many Boolean functions, even simple ones like parity or disjunction, that 
cannot privately be computed if the underlying network is not 2-connected [5]. 

However, many real-world networks are not 2-connected and private compu- 
tation is not possible. If the players in the network have to compute something 
but do not trust each other, there is a natural interest of the players in privacy. 
What can we do? We relax the notion of privacy: One cannot require that any 
player learns only what he is able to deduce from his own secret and the function 
value. Instead we require that any player learns as little as possible about the 
secrets of the other players (in an information-theoretical sense) while it is still 
possible to compute the function. 

Bridge nodes are important when considering non- 2-connected networks. For 
all non-bridge players we can guarantee that they do not learn anything except 
for what they can deduce from their own bit and the function value. Thus, the 
bridge players are the only players that are able to learn something more. The 
question is now, how much the bridge players need to learn such that the function 
can be computed. The simplest setting is a network of two blocks with one bridge 
node in common. (A block is a maximal 2-connected subnetwork.) This reminds 
one of communication complexity with a man in the middle: Alice (one block) 
and Bob (another block) want to compute a function depending on their in- 
put while preventing Eve (the bridge node) from learning anything about their 
input. Unfortunately, Eve listens to the only communication channel between 
Alice and Bob. In terms of communication complexity, this problem had been 
examined by Modiano and Ephremedis [13, 14] and Orlitsky and El Gamal [17] 
under cryptographic security. In contrast, we deal with information-theoretical 
security, i.e. the computational power of the players is unrestricted. Furthermore, 
we are not interested in minimizing communication but in minimizing the infor- 
mation learned by any player. It turns out that there is a close relation between 
communication and privacy, at least in this special case. 
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1.1 Previous Results 

Private computation was introduced by Yao [20]. He considered the problem 
under cryptographic assumptions. Private Computation with information-theo- 
retical security has been introduced by Ben-Or et al. [3] and Chaum et al. [6]. 
Kushilevitz et al. [12] proved that the class of Boolean functions that have a 
circuit of linear size is exactly the class of functions that can privately be com- 
puted using only a constant number of random bits. Kushilevitz [10] and Chor 
et al. [7] considered private computations of integer-valued functions. They ex- 
amined which functions can privately be computed by two players. Franklin 
and Yung [9] used directed hypergraphs for communication and described those 
networks on which every Boolean function can privately be computed. 

While all Boolean functions can privately be computed on any undirected 2- 
connected network, Blaser et al. [5] completely characterized the class of Boolean 
functions that can still privately be computed, if the underlying network is con- 
nected but not 2-connected. In particular, no non-degenerate function can pri- 
vately be computed if the network consists of three or more blocks. On networks 
with two blocks, only a small class of functions can privately be computed. 

Chaum et al. [6] proved that any Boolean function can privately be computed, 
if at most one third of the participating players are dishonest, i.e. they are 
cheating. We consider the setting that all players are honest, i.e. they do not 
cheat actively but try to acquire knowledge about the input bits of the other 
players only by observing their communication. For this model, Ben-Or et al. [3] 
proved that any n-ary Boolean function can be computed -private. Chor 

and Kushilevitz [8] showed that if a function can be computed at least ^-private, 
then it can be computed n-private as well. 

The idea of relaxing the privacy constraints has been studied to some extend 
in a cryptographic setting. Yao [20] examined the problem where it is allowed 
that the probability distributions of the messages seen by the players may differ 
slightly for different inputs, such that in practice the player should not be able 
to learn anything. Leakage of information in the information-theoretical sense 
has been considered only for two parties yet. Bar- Yehuda et al. [2] studied the 
minimum amount of information about the input that must be revealed for 
computing a given function in this setting. 

1.2 Our Results 

We study the leakage of information for multi-party protocols, where each player 
knows only a single bit of the input. Our first contribution is the definition of lossy 
private protocols, which is a generalization of private protocols in an information- 
theoretical sense (Section 2.2). Here and in the following, private always means 
1-private. Throughout this work, we restrict ourselves to non- 2-connected (in the 
sense of non- 2-vertex-connected) networks that are still 2-edge-connected. Every 
block in such a network has size at least three and private computation within 
such a block is possible. We measure the information any particular player gains 
during the execution of the protocol in an information-theoretical sense. This 
is the loss of the protocol to the player. The players are assumed to be honest 
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but curios. This means that they always follow the protocol but try to derive as 
much information as possible. 

We divide lossy protocols into phases. Within a phase, a bridge player may 
exchange messages only once with each block he belongs to. Phases correspond 
to rounds in communication complexity but they are locally defined for each 
bridge player. 

In the definition of lossy protocols, the loss of a protocol to a player is merely 
the logarithm of the number of different probability distributions on the com- 
munication strings a player can observe. We justify this definition in Section 3: 
For a protocol with minimum loss to a player P and any particular content of 
P’s random tape, the support of any two probability distributions is disjoint. 
Thus, in order to gain information, P can distinguish the distributions from the 
actual communication he observes and does not need to sample. 

The simplest non-2-connected network consists of two blocks that share one 
bridge node. In Section 4 we show that the communication complexity of a 
function / and the loss of a private protocol for / are intimately connected: Up 
to constant factors, both quantities are equal. 

Then we study 1-phase protocols. We start with networks that consist of 
d blocks that all share the same bridge player P. In a 1-phase protocol, P 
can communicate only once with each block he belongs to. However, the loss 
of the protocol may depend on the order in which P communicates with the 
blocks. In Section 5, we show that the order in which P should communicate 
with the blocks to minimize the loss equals the order in which d parties should 
be ordered on a directed line when they want to compute the function with 
minimum communication complexity. Particularly for symmetric functions, it 
is optimal to sort the components by increasing size. Then we design a 1-phase 
protocol (Theorem 4), which has the remarkable feature, that it achieves minimal 
loss at any node for symmetric functions. Hence, it simultaneously minimizes the 
loss for all nodes where the minimum is taken over all 1-phase protocols. 

In Section 6, we prove a phase hierarchy. For any k there is a function for 
which every {k— 1 (-phase protocol has an exponentially greater information loss 
than that of the best /c-phase protocol. 

1.3 Comparison of Our Results with Previous Work 

One of the important features of the two-party case is that at the beginning each 
party has knowledge about one half of the input. In the multi-party case each 
player knows only a single bit of the input. 

Kushilevitz [10] examined which integer-valued functions can privately be 
computed by two players. He showed that requiring privacy can result in expo- 
nentially larger communication costs and that randomization does not help in 
this model. Chor et al. [7] considered multi-party computations of functions over 
the integers. They showed that the possibility of privately computing a function 
is closely related to its communication complexity, and they characterized the 
class of privately computable Boolean functions on countable domains. Neither 
Kushilevitz [10] nor Chor et al. [7] examined the problem how functions that 




Privacy in Non-private Environments 



141 



cannot privately be computed can still be computed while maintaining as much 
privacy as possible. 

Leakage of information in the information-theoretical sense has been consid- 
ered only for two parties, each holding one n-bit input of a two- variable function. 
Bar-Yehuda et al. [2] investigated this for functions that are not privately com- 
putable. They defined measures for the minimum amount of information about 
the individual inputs that must be learned during the computation and proved 
tight bounds on these costs for several functions. Finally, they showed that sac- 
rificing some privacy can reduce the number of messages required during the 
computation and proved that at the costs of revealing k extra bits of informa- 
tion any function can be computed using 0{k ■ messages. 

The counterpart of the two-party scenario in the distributed setting that we 
consider is a network that consists of two complete networks that share one node 
connecting them. Simulating any two-party protocol on such a network allows the 
common player to gain information depending on the deterministic communica- 
tion complexity of the function that should be evaluated. Hence and in contrast 
to the two-party case, increasing the number of bits exchanged does not help 
to reduce the knowledge learned by the player that is part of either block. An 
important difference between the two-party scenario, where two parties share 
the complete input, and a network consisting of two 2-connected components 
connected via a common player (the bridge player) is that in the latter we have 
somewhat like a “man in the middle” (the bridge player) who can learn more 
than any other player, since he can observe the whole communication. 

2 Preliminaries 

For i, j G N, let [z] := {!,..., z} and [i-.j] := {z, . . . , j}. Let x = X\X 2 ■ ■ ■ Xn G 
{0, 1}” be a string of length n. We often use the string operation Xi^a defined 
for any z G [rz] and a G {0,1} by x\ . . .Xi-iaXi+i . . .Xn- For a function / : 
{0,1}” ^ {0,1}, an index z G [rz], and a G {0,1}, fi^a ■ {0,1}"“^ ^ {0,1} 
denotes the function obtained from / by specialising the position z to the value 
given by a, i.e. for all x = XiX 2 ■ ■ -Xn-i G {0, 1}"“^, 

fi^a{x) = f{xi, . . ,,Xi-i,a,Xi, . ..Xn-l) ■ 

An undirected graph G = (V, E) is called 2-connected, if the graph obtained 
from G by deleting an arbitrary node is still connected. For a set U C Y, let 
G\u '■= {U,E\u) be the graph induced by U. A subgraph G\u is called a block, 
if G\u is 2-connected and no proper supergraph G\u is 2-connected. A block of 
size two is called an isthmus. A graph is called 2- edge- connected if after removal 
of one edge, the graph is still connected. A graph is 2-edge-connected if it is 
connected and has no isthmi. A node belonging to more than one block is called 
a bridge node. The other nodes are called internal nodes. The blocks of a graph 
are arranged in a tree structure. For more details on graphs, see e.g. Berge [4]. 

A Boolean function is symmetric, if the function value depends only on the 
number of Is in the input. See Wegener [19] for a survey on Boolean functions. 
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2.1 Private Computations 

We consider the computation of Boolean functions / : {0, 1}" ^ {0, 1} on a 
network of n players. In the beginning, each player knows a single bit of the 
input X. Each player has a random tape. The players can send messages to 
other players using secure links where the link topology is an undirected graph 
G = (V,E). When the computation stops, all players should know the value 
f{x). The goal is to compute f{x) such that no player learns anything about the 
other input bits in an information-theoretical sense except for the information 
he can deduce from his own bit and the result. Such a protocol is called private. 

Definition 1. Let Ci be a random variable of the communication string seen by 
player Pi. A protocol A for computing a function f is private with respect to 
player Pi if for any pair of input vectors x and y with f{x) = f{y) and Xi = yi, 
for every c, and for every random string Ri provided to Pi, 



Pr[Ci = c\Ri,x] = Pr[Ci = c\R^,y] , 

where the probability is taken over the random strings of all other players. A 
protocol A is private if it is private with respect to all players. 

In the following, we use a strengthened definition of privacy: We allow only 
one player, say Pi, to know the result. The protocol has to be private with 
respect to Pi according to Definition 1. Furthermore, for all players Pj yf Pi, for 
all inputs x,y with Xj = yj, and for all random strings Rj we require Pr[Cj = 
c\Rj,x] = Pr[Cj = c\Rj,y\. Thus, all other players do not learn anything. This 
definition does not restrict the class of functions computable by private protocols 
according to Definition 1. To achieve this additional restriction. Pi generates a 
random bit r. Then we use a private protocol for computing r 0 f{x). 

2.2 Information Source 

The definition of privacy basically states the following: The probability that a 
player Pi sees a specific communication string during the computation does not 
depend on the input of the other players. Thus, Pi cannot infer anything about 
the other inputs from the communication he observes. 

If private computation is not possible since the graph is not 2-connected, it is 
natural to weaken the concept of privacy in the following way: We measure the 
information player Pi can infer from seeing a particular communication string. 
This leads to the concept of lossy private protocols. The less information any 
player can infer, the better the protocol is. 

In the following, ci, C 2 , C 3 , . . . denotes a fixed enumeration of all communica- 
tion strings seen by any player during the execution of A. 

Definition 2. Let Ci be a random variable of the communication string seen by 
player Pi while executing A. Then for a,b € {0, 1} and for every random string 
Ri provided to Pi, define the information source of Pi on a, b, and Ri as 

S^ii, a, b, Ri) := {{p.r,{ci), Hx{c 2 ), ■ ■ ■) | a: G {0, 1}” A a;* = a A f{x) = b} 
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where jJLx{ck) '■= Pr[Ci = Ck\Ri,x] and the probability is taken over the random 
strings of all other players. 

Basically a, 5, is the set of all different probability distributions on 
the communication strings observed by Pi when the input x of the players varies 
over all possible bit strings with Xi = a and f{x) = b. The loss of a protocol A 
on a, b with respect to player Pi is 

£ = maxlog a, b, i?i)| . 

Fti 

Thus the protocol looses £ bits of information to Pj. We call such a protocol 
£-lossy on a, b with respect to Pi. 

If a uniform distribution of the input bits is assumed, then the self-informa- 
tion of an assignment to the players Pi, , Pi_i, P^+i, . . . , P„ is n — 1 [18]. In 
this case the maximum number of bits of information that can be extracted by 
Pi is n— 1. If ^ is 0-lossy for all a,b & {0> 1} with respect to Pi, then we say that 
A is lossless with respect to Pi. A is lossless to Pi iff A is private to P^. Thus 
the notion of lossy private protocols generalizes the notion of private protocols. 

Definition 3. A protocol A computing a function f in a network G is £j\-lossy, 
with £ji : [n] x {0, 1}^ ^ Kq , if £a(i, a, b) = max/j. log |5yi(t, a, b, Ri)\. Let f be 
an n-ary Boolean function. Then for every network G = {V,E) with \V\ = n, 
define £c '. [n] x {0, 1}^ ^ by 

£g(z, a, b) := min{ £^{i, a,b) \ A is an £j^-lossy protocol for f in G} . 

A 

The loss of a protocol A is bounded by X G N, if £_A.{i,a,b) < A for all i, 
a, and b. £a{i,a,b) is obtained by locally minimizing the loss to each player Pi 
over all protocols. It is a priori not clear whether there is one protocol with 
o, b) = £yi(z, a, b) for all i, a, b. We show that this is the case for symmetric 
functions and 1-phase protocols (as defined in Section 2.3). 

We also use the size of the information source, defined by s^{i,a,b,Ri) = 
|5^(z, a, b, Ri) I and Syi(z, a, b) = max/j^ b, Rf) for a given protocol A. By 

definition, £^{i,a,b) = log s^{i, a, b). If the underlying protocol is clear from 
the context, we omit the subscript A. Let / be an n-ary Boolean function. For 
a network G = {V,E) with \V\ = n, we define sa(i,a,b) := min _4 5 , 4 ( 1 , a, 6). 
If a player Pj is an internal node of the network, then it is possible to design 
protocols that are lossless with respect to Pi (see Section 3). Players Pi that are 
bridge nodes are in general able to infer some information about the input. 

2.3 Phases in a Protocol 

We say that a player Pq who corresponds to a bridge node makes an alternation 
if he finishes the communication with one block and starts to communicate with 
another block. During such an alternation, information can flow from one block 
to another. We partition a communication sequence c = d±d 2 ... of Pg into a 
minimal number of disjoint subsequences (c?i, . . . , dij, {di^+i, . . . jdi^), . . . such 
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that each subsequence is alternation- free (i.e. Pq makes no alternation during the 
corresponding interval) . To make such a partition unique assume that each subse- 
quence (maybe except for the first one) starts with a non-empty message. We call 
these subsequences block sequences of c and define blockj(c) := . . . ,di.) 

with fo = 0. Next we partition the work of Pq into phases as follows. Pq starts at 
the beginning of the first phase and it initiates a new phase when, after an alter- 
nation, it starts to communicate again with a block it already has communicated 
with previously in the phase. 

A protocol A is a k -phase protoeol for a bridge node Pq if for every input 
string and contents of all random tapes, Pq works in at most k phases. A is 
called a k-phase protocol if it is a fc-phase protocol for every bridge node. 

The start and end round of each phase does not need to be the same for each 
player. Of particular interest are 1-phase protocols. In such a protocol, each bridge 
player may only communicate once with each block he belongs to. Such protocols 
seem to be natural, since they have a local structure. Once the computation is 
finished in one block, the protocol will never communicate with this block again. 

For fc-phase protocols we define £^( 1 , 0 , 6 ) and SQ{i,a,b) in a similar way as 

and sg in the general case, but we minimize over all fc-phase protocols. 

During each phase a player communicates with at least two blocks. The order 
in which the player communicates within a phase can matter. The communica- 
tion order Oq of a bridge node Pq specifies the order in which Pq communicates 
with the blocks during the whole computation. Formally, aq is a finite sequence 
of (the indices of) blocks Pq belongs to and the length of aq is the total number 
of alternations made by Pq plus one. We say that a protocol is cr ,^-ordered for Pq 
if for all inputs and all contents of the random tapes, the communication order of 
Pq is consistent with aq. Let , . • . , Pq^. with gi < (72 < . . . < be an enumer- 
ation of all bridge players of a network G and a = (aq^ , ■ ■ ■ , aq^) be a sequence of 
communication orders. We call a protocol a -ordered if it is -ordered for every 
Pq.. Finally, define SG{i,aAiCf) := min{s_ 4 (i, a, 6 ) | A is cr-ordered for / on G}. 

2.4 Communication Protocols 

For comparing the communication complexity with the loss of private protocols, 
we need the following definitions. Let / : {0,1}’"^ x {0,1}’”^ ^ {0)1} be a 
Boolean function and B he & two-party communication protocol for computing 
/. Let j/i G {0, 1}™! and 7/2 G {0, be two strings as input for the two parties. 
Then CCe(2/i, 1/2) is the total number of bits exchanged by the two parties when 
executing B. 

CC(P) is the maximum number of bits exchanged by executing B on any 
input. Analogously, CS(P) is the number of different communication strings that 
occur. (We simply concatenate the messages sent.) Finally, we define CC(/) = 
ming for / CC{B) and CS(/) = ming for / CS(P). 

CC(/) and CS(/) are the communication complexity and communication 
size, respectively, of the function /. CC(P) and CS{B) are the communication 
complexity and communication size for a certain protocol B. The communication 
size is closely related to the number of leaves in a protocol tree, usually denoted 
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by C^{B). In the definition of CS, we do not care about who has sent any bit, 
since we concatenate all messages. In a protocol tree however, each edge is labeled 
by the bit sent and by its sender. The bits on a path from the root to a leaf form 
a communication string. Usually, the messages sent in a communication protocol 
are assumed to be prefix-free. In this case, we can reconstruct the sender of any 
bit from the communication string. If this is not the case, then we can make a 
particular communication protocol prefix-free by replacing the messages sent in 
each round by prefix-free code words. The complexity is at most doubled. 

We also consider multi-party communication with a referee. Let / : {0, x 
{0, X ... X {0, 1}™'= ^ {0, 1} be a function. Let Ai, . . . ,Ak be k parties 
and i? be a referee, all with unlimited computational power. For computing / 
on input Xi, . . . , Xk, the referee cooperates with A\, . . . ,A]^ as follows: 

~ Initially, Xi, . . . , Xk are distributed among Ai , . . . , A/-, i.e. Ai knows Xi. The 
referee R does not have any knowledge about the inputs. 

— In successive rounds, R exchanges messages with Ax,. .. ,Ak according to a 
communication protocol. In each round R can communicate (i.e. receive or 
send a message) only with a single party. 

— After finishing the communications, R eventually computes the result of /. 

Let ,8 be a communication protocol for computing /. Denote by c§(xx , . . . , Xk) 
the whole communication string of R after protocol B has been finished. More 
precisely, c§(xi, . . . ,Xk) is a concatenation of messages sent (to or from R) on 
input Xi, . . . ,Xk with additional stamps describing the sender and the receiver 
of each message. For b G {0, 1} let 

CS§(b) = {c§(xi, . . . ,Xk) \ yi € [k] : x, G {0, 1}”"* and f{xi,. ,.,Xk) = b}, 
CS^{B) =C5f(0)UC5g(l) , 

CS§{b) =\CS§{b)\, CS«(8) = |C5«(8)|, 

CS«(/, b) = mine for / CSg(5) , and CS«(/) = ming for / CS«(8) . 

3 The Suitability of the Model 

We observe that it suffices to consider bridge players when talking about the loss 
of a protocol. More precisely, any protocol can be modified such that the loss to 
all internal players is zero, while the loss to any bridge player does not increase. 

All Boolean functions can be computed by using only three players [3] . Thus, 
it is possible to compute functions privately within any block, since the networks 
we consider are isthmus-free. This holds even if some of the players know a subset 
of the input bits and the result consists of a binary string. 

Finally, in optimal protocols, the probability distributions observed by any 
player have pairwise fidelity 0. Thus, any player can easily distinguish the dif- 
ferent probability distributions he observes. 

We consider arbitrary 1-connected networks. Let / be a Boolean function 
and A be a protocol for computing / on a 1-connected network G. Let Pq be a 
bridge player of G, a, b G {0, 1}, and Rq be the random string provided to Pq. 
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We define X := {x & {0, 1}” \ Xq = a ^ f{x) = b} and, for any communication 
string c, tp{c) := {a; G X | Hx{c) > 0}, where Hx{c) = Pr[Cg = c\Rq,x\. For every 
communication string c that can be observed by Pq on some input x € X, Pq 
can deduce that x G V'(c)- If s_A{q,a,b) = sc{q,a,b) = 1, then we have either 
■0(c) = X or -tp{c) = 0. Thus Pq does not learn anything in this case. 

Theorem 1. If SG{q,a,b) > 1, then for any protocol A and every communica- 
tion string c that can be observed by Pq on x & X, ’4>{c) is a non-trivial subset 
of X, i.e. 0 yf f>{c) C X, and there exist at least SG{q,a,b) different such sets. 

Hence, from seeing c on x G X, Pq always gains some information and there 
are at least SG{q,a,b) different pieces of information that can be extracted by 
Pq on inputs from X. To prove this, we show that for each distribution we can 
find one representative string that can be used in the communication protocol. 

The next result says that sg(< 7, a, b) is a tight lower bound on the number of 
pieces of information: the lower bound is achieved when performing an optimal 
protocol on G. Let pt and pt' be two probability distributions over the same set 
of elementary events. The fidelity is a measure for the similarity of pL and p! (see 
e.g. Nielsen and Chuang [15]) and is defined by F{p,p') = \/ 

Theorem 2. If A is an optimal protocol for Pq on a and b, i.e. sj^{q,a,b) = 
sg(<Z, a, b), then for all random strings Rq and all probability distributions p p' 
in Sj\{q, a, 5, Rq) we have F{p, p') = 0. 

4 Communication Complexity and Private Computation 

In this section, we investigate the relations between deterministic communication 
complexity and the minimum size of an information source in a network with 
one bridge node. To distinguish protocols in terms of communication complexity 
and protocols in terms of private computation, we will call the former commu- 
nication protocols. From the relation between and CC (see e.g. Kushilevitz 
and Nisan [11-Sec. 2.2]), we get |log(CS(/)) < CC(/) < 3 •log(CS(/)). Making 
a communication protocol prefix- free yields the extra factor I. 

Now we investigate the relations between communication size and the size of 
an information source on graphs that consist of two blocks sharing one bridge 
node Pq. In the model of private computation the input bits are distributed 
among n players whereas the input bits in a communication protocol are dis- 
tributed among the two parties. Alice and Bob correspond to the first and second 
block, respectively, while both know the bridge player’s bit. 

Theorem 3. If a function f has communication complexity c then there exists 
a protocol for computing f with loss bounded by 2c. On the other hand, if f 
can be computed by a protocol with loss bounded by X, then the communication 
complexity of f is bounded by 6 A -I- 0(1). 

We can generalize the results obtained for the relation two-party commu- 
nication and private computation to obtain similar results for the relation of 
multi-party communication with a referee and private computation as follows: 
For o, 5 G {0, 1} we have SG{q, a, b) = CS^(/g^a, b). 
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5 1-Phase Protocols 

We start our study of 1-phase protocols with considering networks that consist 
of one bridge player who is incident with d blocks. For the case that the order 
in which the bridge player communicates with the blocks is fixed for all inputs, 
we show a relationship between the size of the information source of 1-phase 
protocols and communication size of multi-party 1-way protocols. Furthermore, 
we prove that for every symmetric Boolean function 1-phase protocols can mini- 
mize the loss of information when the bridge player sorts the blocks by increasing 
size. Then we present a simple 1-phase protocol on arbitrarily connected net- 
works that is optimal for every symmetric function. 

5.1 Orderings 

A natural extension of the two-party scenario for 1-way communication is a 
scenario in which the parties use a directed chain for communication: d parties 
Ax,..., Ad are connected by a directed chain, i.e. At can only send messages 
to Aj+i. For a communication protocol B orx G and i G [d] let be the 

number of possible communication sequences on the subnetwork of Ai , . . . , . 

Each communication protocol B can be modified without increasing 5*^^ (B) in 
the following way: Every party Aj first sends the messages it has received from 
Aj_i to Aj+i followed by the messages it has to send according to B. In the 
following we restrict ourselves to communication protocols of this form. 

If the network G consists of d blocks with i G [d] and one bridge player Pq 
we consider a chain of d parties Ai, . . . , A^;. For a cr-ordered 1-phase protocol A, 
we assume that the enumeration of the blocks reflects the ordering a. We have 
to determine the input bits of the parties in the chain according to the input bits 
of the players in the protocol. In the following we will assume that A^ knows the 
input bits of the players in Bi. Thus, each party Ai has to know the input bit 
Xq of the bridge player Pq. Therefore, we will investigate the restricted function 
fq^a whenever we analyse the communication size of a communication protocol. 

For a (T-ordered protocol A define a, 5, Rq) = {fix | = a A f{x) = 6}, 

where pLx{ck) denotes the sum of the probabilities Pr[Cg = c | Rq,x] over all c 
with Cfe = block i(c) . . . blocks (c) and ci, C 2 ,C 3 , . . . is a fixed enumeration of all 
strings describing the communication of Pq in the first i block sequences. 

Lemma 1. Let A he a a -ordered 1-phase protoeol for computing f on a network 
as described above. Then for every a G {0, 1} and every content Rq of Pq ’s 
random tape there exists a 1-way communication protocol B for computing fq^a 
such that for all z G [d — 1], we have 

SV{B) < 15^ (g, a, 0, Rq) U 5^;’ (g, a, 1, Rq) \ . 

Let us now focus on the structure of the possible communication sequences of 
an optimal communication protocol on a chain. In such a protocol, the message 
sent from Ai to A^+i has to specify the subfunction obtained by specifying the 
input bits of the first i blocks according to their input. Hence, the number of 
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possible communication sequences on the network Ai,...,Ad is at least the 
number of different sequences of subfunctions that can be obtained in this way. 

The knowledge about these sequences must also be provided to the bridge 
player. Hence, for every fixed Rq and b G {0, 1} the number of distributions in 
{q, a, b, Rq) is at least the number of different sequences ; fd-i,x for 

inputs X with Xq = a and f{x) = b. This implies the following lemma. 

Lemma 2. For a G {0, 1}, let B be a communication protocol for computing 
fq^a on a chain network. Then there exists a a-ordered 1-phase protocol A for 
f such that for all i G [d — 1] and every content Rq of Pq ’s random tape, we have 

Sr{B) = 15^ {q, a, 0, Rq) U {q, a, 1, Rq) \ . 

Furthermore, for any b G {0, !}.• If we restrict the inputs to x G {0, 1}”“^ with 
fq^a{x) = b, the number of possible communication sequences on the subnetwork 
Al,..., Ai+i is \s]^{q,a,b,Rq)\. 

We can show that there exist functions, for which no ordered 1-phase protocol 
minimizes the size of the bridge players’ information source. Thus, we generalize 
the class of ordering that we consider to achieve such a property. 

We call a protocol A quasi-ordered if for every a,b G {0, 1}, for every content 
Rq for Pq's random tape, and for every distribution pi G Sji{q,a,b, Rq) there 
exists a 1-phase ordering a such that every communication string c with /x(c) > 0 
the string c is cr-ordered. Note that this ordering is not necessarily the same for 
all inputs. However, given any input, the ordering is fixed. 

We can prove that among all 1-phase protocols for a given function, there 
always exists a quasi-ordered protocol that minimizes the loss to Pq. 

5.2 Orderings for Symmetric Functions 

For symmetric Boolean functions, we can show even more. Arpe et al. [1] have 
proved the following for symmetric Boolean functions with a fixed partition of 
the input bits: for all i, S'A(B) is minimal, if the number of bits known by the 
parties in the chain corresponds to the position of the party, i.e. the first party 
knows the smallest number of input bits, the second party knows the second 
smallest number, and so on. This observation also holds, if we count the number 
of communication sequences in a chain network for inputs x with f{x) = 1 and 
the number of communication sequences in a chain network for inputs x with 
f{x) = 0. Together with Lemma 2, we obtain the following: Let G be a connected 
network with one bridge player Pq and d blocks. Let ct be a one phase ordering 
that enumerates the blocks of G according to their size. Then for every ordered 
1-phase protocol A' there exists a cr-ordered 1-phase protocol A such that for 
all a,b G {0, 1}, for all i < d — 1, and every content Rq of Pq random tape 

\S^^{q,a,b,Rq)\ < \s]^,{q,a,b, Rq)\. 

This result can be generalized to networks with more than one bridge player. 
Let Gi , . . . , Gfc be the connected subgraphs obtained by deleting the bridge 
player Pq with \Gi\ < |Gi+i|. We say that Pq works in increasing order, if 
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it starts communicating with G\, then with G 2 and so on. We call a 1-phase 
protocol A increasing- ordered, if every bridge player works in increasing order. 

For a graph G let = {Gi = {Vi,Ei), . . . ,Gh = {Vh, Eh)} be the set of blocks 
and Q= {qi, . . . ,qk} be the set of bridge nodes of G. Every graph G induces a 
tree Tq = {Vg,Eo) defined as follows: Vq = VqU Vg with Vq = {ui, . . . ,Uk} 
and Vg = {vi, ...,Vh} and Eq = {{ui,Vj} \ qt € Vj}. 

For every 1-phase communication order a = (cr^i, . . . , cr^j.) and every bridge 
node qi the order ag^ defines an ordering of the nodes Vj G Vg adjacent to the 
tree-node Ui. Let Gcr^yi), ■ • ■ , denote the ordering of blocks adjacent to qi 

with respect to aq^ and rooto-(Mi) := If cr is an increasing communication 

order, then there exists a single tree-node Vj G Vg, such that Vj = roota{ui) for 
all Ui G Vq adjacent to vj. Let us call this node the root of Tq- For a tree-node 
w G Vg let Tg[w] denote the subtree of Tg rooted by w and let V[w] denote the 
nodes of G located in the blocks Gj with Vj G Tg[w]. 

For computing a symmetric function / we use the following protocol. Let 
a be an increasing communication order. Then for an input x every bridge 
player qi computes a sequence of strings yi, . . . , as follows: Let Xj = 

UeGb] ^[^CT,.(e)] and £j = \Xj\. Then Uj G {0, 1}^^ such that for all j < ki — 1 

the function obtained from / by specialising the positions in Xj to yj is equal 
to the function obtained from / by specialising the positions to xxj^ where 

xi for I C [n] denotes the input bits with indices in I. Finally, a node of the 

block that corresponds to the root of Tg computes the result f{x). This can 
be implemented such that no player gains any additional information except for 
yi, . . . , yki-i learned by the bridge nodes qi. 



Theorem 4. Let G he a 2- edge- connected network and f be a symmetric Bool- 
ean function. Then for every Tphase protocol A' computing f on G there exists 
an increasing- ordered Tphase protocol A for f on G such that for every player 
Pi and for all a,b G {0, 1}, we have s_ 4 (z, a, h) < s_ 4 '(z, a, h). 

Thus, the protocol presented in this section is optimal for 1-phase computa- 
tions of symmetric functions with respect to the size of the information source. 



6 A Phase Hierarchy 

In this section we show that there are functions for which the size of the infor- 
mation source of some player for a (A: — l)-phase protocol is exponentially larger 
than for a fc-phase protocol. The natural candidate for proving such results is 
the pointer jumping function pj\ Our network G has two blocks A and B, one 
of size nlogn and the other of size nlogn -|- 1, sharing one bridge player Pi. 
For simplicity we assume that A and B are complete subgraphs. The input bits 
represent two lists of n pointers, each of length log n bits. The input bit of Pi 
belongs to the list of the smaller component. Starting with some predetermined 
pointer of A, the task is to follow these pointers, find the jth pointer and output 
the parity of the bits of the jth pointer. Define CS-^ and CC^ in the same manner 
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as CS and CC, but by minimizing over j-round communication protocols instead 
of arbitrary communication protocols. 

Theorem 5. For any protocol A for computing P 2 k-i, we have 6) = 

2 r 2 (n/(fciogfc)) Jqj- all a, h- For p 2 k-i, Sq(i, a, 6) = for all a,b- 

The lower bound follows from work by Nisan and Wigderson [16]. 



7 Conclusions and Open Problems 

We have considered distributed protocols in “non-private” environments: net- 
works that are connected but not 2-connected. Since private computation of 
arbitrary Boolean functions is impossible on such networks, we have introduced 
a measure for the information that can be inferred by any player and discussed 
some general properties of protocols with respect to this measure. A natural 
question is finding optimal protocols for some concrete functions. 

For threshold {fnai^i , . . . , x„) = 1 iff Ym=i — ^o) and counting modulo p 
{gp{x \, . . . , Xn) = 1 iff X^r=i = 0 (mod p)), the information loss to any player 
does not depend on the ordering in which a 1-phase protocol computes any of 
these functions, if each block has size at least no and p, respectively. If we have 
blocks of less than p—1 nodes, there can be a slight difference in the size of Pq’s 
information source depending on the order. 

In general, the size of the information source while communicating in one 
order can be exponentially larger than the size obtained by communication in 
another order. This holds even in case of symmetric functions. 

For 1-phase protocols for symmetric Boolean functions, we have been able to 
minimize the number of bits a player learns for all players simultaneously. An 
obvious question concerns minimizing the loss of more than one bridge player 
simultaneously for general functions. For 1-phase protocols, the answer is neg- 
ative: There are functions, for which no protocol exists that minimizes the loss 
to all players simultaneously. 

It is open whether there exist functions and networks that do not allow to 
minimize the loss to each bridge player simultaneously. For such functions, we 
have to generalize our measure. Two simple examples one might want to examine 
is the sum of the loss to each player and the maximum loss to any player. 
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Abstract. In this paper, we present efficient asynchronous protocols that allow to 
build proactive cryptosystems secure against a mobile fail-stop adversary. Such 
systems distribute the power of a public-key cryptosystem among a set of servers, 
so that the security and functionality of the overall system is preserved against an 
adversary that crashes and/or eavesdrops every server repeatedly and transiently, 
but no more than a certain fraction of the servers at a given time. The building 
blocks of proactive cryptosystems — to which we present novel solutions — are 
protocols for joint random secret sharing and for proactive secret sharing. 

The first protocol provides every server with a share of a random value unpre- 
dictable by the adversary, and the second allows to change the shared represen- 
tation of a secret value. Synchronous protocols for these tasks are well-known, 
but the standard method for adapting them to the asynchronous model requires 
an asynchronous agreement sub-protocol. Our solutions are more efficient as they 
go without such an agreement sub-protocol. Moreover, they are the first solutions 
for such protocols having a bounded worst-case complexity, as opposed to only a 
bounded average-case complexity. 



1 Introduction 

Threshold cryptography addresses the task of distributing a cryptosystem among n 
servers such that the security and functionality of this distributed system is guaran- 
teed even if an adversary corrupts up to t servers [2] (see [3] for a survey). Threshold 
cryptosystems are realized by sharing the key of the underlying cryptosystem among 
all servers using a (f -f l)-out-n sharing scheme [4], and by accomplishing the cryp- 
tographic task through a distributed protocol. If this task involves the choice of secret 
random values, then the distribution of the task involves so-called joint random secret 
sharing (JRSS) [5], which allow the servers to jointly generate a (f -f l)-out-n sharing 
of a random value unpredictable by the adversary. 

Proactive cryptosystems use threshold cryptosystems as the basis, but drastically 
reduce the assumption concerning failures [6] (see [7] for a survey). They operate in a 
sequence of time periods called phases and tolerate a mobile adversary, which corrupts 
the servers transiently and repeatedly, and is only restricted to corrupt at most t servers 
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during every phase. Technically, proactive cryptosystems are threshold cryptosystems 
that change the representation of the shared secret key from one phase to another using 
proactive secret sharing (PSS) [8], so that the representations are independent; the old 
representation has to be erased. 

The key to efficient proactivization of many public key cryptosystems for signing and 
encryption lies in efficient solutions for JRSS and for PSS. In the synchronous network 
model with broadcast channels, such solutions exist [5,8]. Although such synchrony 
assumptions are justihed in principle by the existence of clock synchronization and 
broadcast protocols, this approach may lead to rather expensive solutions in practice, for 
example when deployed in wide-area distributed systems with only loosely synchronized 
clocks. Furthermore, such systems are vulnerable to timing attacks. 

These issues can be eliminated by considering an asynchronous network in the first 
place. However, the standard approach to building asynchronous protocols for JRSS and 
PSS requires an asynchronous agreement sub-protocol, which substantially contributes 
to the overall complexity of such solutions; see for example [9]. 

Contributions. In this paper, we provide the first solutions for asynchronous JRSS 
and for asynchronous PSS, which do not rely on an agreement sub-protocol. Avoiding 
agreement results in two main advantages. On one hand, we are able to bound the 
worst-case complexity of our protocols. For previous protocols, one could only bound 
their average case complexity; such protocols therefore could (at least theoretically) run 
forever. On the other hand, our protocols have a worst-case latency of only six rounds, 
whereas the best known previous solution of Cachin et al. [9] has an expected latency of 
17 rounds (this comparison takes into account that [9] can be optimized in our model). 

Our protocols tolerate a fail-stop adversary who may adaptively and repeatedly eaves- 
drop and crash up to t servers in every two subsequent phases, where t < n/3. We stress 
that assuming a fail-stop adversary (as opposed to a fully Byzantine adversary) does not 
make the problem of avoiding agreement trivial: the main reason why the standard solu- 
tions for asynchronous JRSS and PSS require agreement is the fact that a crashed server 
cannot be distinguished from a slow server, and this problem also occurs for a fail-stop 
adversary. Note that in principle our protocols can be extended to tolerate Byzantine 
adversaries without affecting the resilience of t < n/3, using known techniques for 
asynchronous verifiable secret sharing [9] and zero-knowledge proofs [10]. Further- 
more, as shown in [11-Chapter 7], our protocols remain secure even under arbitrary 
composition. 

The cost of our approach is a higher communication complexity. Specifically, if k 
is the security parameter of the system, our protocols transmit a total of 0{kn^) bits 
across the network using O(n^) messages, whereas the (optimized) solution of Cachin 
et al. [9] transmits only O(kn^) bits using also O(n^) messages. However, in a practical 
setting, this additional overhead is of little concern as the size of n is typically very small 
relative to k (e.g. 10 vs. 1024). 

Technically, the key to our solutions is a novel proactive pseudorandomness (PPR) 
scheme [12], with an additional property that we call constructibility. Such a scheme 
provides at every phase to every server Pi a random value pCi which remains hidden from 
the adversary. Additionally, it enables the honest servers to jointly reconstruct any such 
value prj. We then build our JRSS and PSS schemes such that a server Pi derives all its 
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random choices from its value pr^ by using it as a seed to a pseudorandom function [13]. 
This allows the honest servers to reproduce the steps of a (possibly) faulty server in 
public, instead of agreeing on a set of such servers and then excluding them from the 
computation (as it is done by previous work). 

Related Work. As mentioned previously, Cachin et al. [9] implemented asynchronous 
proactive protocols using an agreement subprotocol as a building block, which results in 
a relatively high round complexity. Zhou [14] proposed to build proactive cryptosystems 
on a weaker notion of PSS, which can be implemented without agreement. In this weaker 
PSS protocol, every server computes in every phase a list of candidate shares such that 
one of these candidates is the fresh share of the secret. Zhou shows that this suffices to 
implement a proactive version of RS A signatures exploiting the fact that RS A signatures 
are unique in the sense that for any public key and any message, there exists only one 
signature on the given message valid under the given public key. Unfortunately, the 
approach of Zhou [14] cannot be applied to proactivize discrete-logarithm signature 
schemes such as ElGamal [15] or DSS [16], as these schemes are not unique in the 
above sense. The only known technique for proactivizing these signature schemes are 
protocols for JRSS and for PSS in the sense we introduced them before. 

Organization. In the next section we introduce our system model, and recall the defi- 
nitions of cryptographic tools we use in the proposed solutions. In Section 3 we give an 
overview of our constructions. Section 4 presents an efficient secret sharing protocol, 
which will be useful in our constructions. In Section 5 we present our solution for an 
asynchronous proactive pseudorandomness scheme. In Sections 6 and 7, we describe our 
solutions to asynchronous proactive secret sharing, and to asynchronous joint random 
secret sharing, respectively. In Section 8 we sketch how these protocols can be used to 
proactivize public-key signature schemes, considering Schnorr’s signature scheme [17] 
as an example. Finally, in Section 9 we conclude the paper. 



2 Asynchronous Proactive System Model 

Motivation. Proactive cryptosystems are threshold cryptosystems that operate in a 
sequence of phases. At the beginning of every phase, the servers refresh the shares of 
the underlying threshold system such that the new shares are independent of the old 
shares (except for the fact that they define the same secret). This prevents an adversary 
from learning the shared key, assuming that she corrupts no more than t servers in every 
phase. Such an assumption can be justified if every phase lasts some limited amount 
of real time, the idea being that it takes the adversary a certain amount of real time to 
corrupt a server, and that corruptions are transient, i.e., do not last forever [6]. 

This idea maps onto a synchronous network in a straightforward way: one can 
define phases with respect to a common clock accessible to every server and implement 
refresh using a synchronous protocol [8]. The drawback of this approach is that syn- 
chronous protocols proceed in rounds, i.e., messages are sent on a clock “tick”, and are 
received at the next “tick”. This may lead to slow protocols in practice, as the duration 
of a communication round must account for maximal message delays and maximal shifts 
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among local clocks of the servers. Moreover, as the security of synchronous protocols 
relies on the timely delivery of messages, this approach is also vulnerable to timing 
attacks, which are often easy to launch. 

Cachin et. al [9] suggest to avoid these issues by implementing refresh using an 
asynchronous protocol. Such protocols are message-driven, i.e., proceed as soon as 
messages arrive. This allows a server to terminate a refresh and proceed with the next 
phase as soon as it has received enough information. Moreover, such protocols do not rely 
on upper bounds on message delays or clock shifts, i.e., they are as fast as the network. 
Timing attacks will only slow down such protocols, but not affect their security. 

However, in a purely asynchronous network servers would not have access to a 
common clock for defining phases. Therefore, Cachin et al. [9] suggest to define phases 
locally to every server in terms of a single time signal, or clock tick, that occurs locally 
for a server and only indicates the start of a phase. The idea is to model systems where 
the time signals come from a local clock, say every day at 0:00 UTC, and where the local 
clocks are loosely synchronized, say they agree on which day and hour it is. Hence, the 
model is partially synchronous with long stretches of asynchrony. Such a setting implies 
an upper bound on the real time available to an adversary for corrupting servers in a 
certain phase, which justifies the assumption that an adversary corrupts only t servers in 
the same local phase [6]. 

The formal model of [9] does not further constrain the synchronization of phases, 
i.e., it leaves the scheduling of phases up to the adversary. This is to ensure that the 
security of a protocol does not rely on any synchrony assumptions, and hence, is not 
affected by timing attacks. 

Network and Adversary. We adopt the basic system model from [9], which is param- 
eterized by a security parameter k; a function e{k) is called negligible if for all c > 0 
there exists a ko such that e(fc) < for all k > kg. The network consists of n servers 
Pi, ... ,Pn and an adversary which are all probabilistic interactive Turing machines 
(PITM) [10] that run in polynomial time in k. The random tape of a server is initialized 
at the beginning of the computation, and we assume that the servers can erase informa- 
tion. There is also an initialization algorithm run by a trusted dealer before the system 
starts. On input k,n,t, and further parameters, it generates the state information used to 
initialize the servers. 

Every server operates in a sequence of m{k) local phases, where m{k) is a poly- 
nomial. The phases are defined with respect to dedicated input actions of the form 
(in, clock_tick), scheduled by the adversary. The local phase of a server is defined as the 
number of such input actions it has received. 

The servers are connected by a proactive secure asynchronous network that allows 
every pair of servers to communicate authentically and privately whenever they are 
in the same local phase. The scheduling of the communication is determined by the 
adversary. Formally, we model such a network as follows. There exists a global set of 
messages Ad, whose elements are identified by a label (s, r, I, r) denoting the sender 
s, the receiver r, the length I of the message, and the phase t when the message has 
been sent. The adversary sees the labels of all messages in A^, but not their contents. All 
communication is driven by the adversary, and proceeds in steps as follows. Initially, Ai 
is empty. At each step, the adversary performs some computation, chooses a server Pi, 
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and selects some message m € A4 with label (s, i, I, r), where Pi must be currently in 
local phase r. The message m is then removed from Al, and Pi is activated with m on its 
communication input tape. When activated, Pi reads the contents of its communication 
input tape, performs some computation, and generates one or more response messages, 
which it writes to its communication output tape. Then, the response messages are added 
to A4, and control returns to the adversary. This step is repeated arbitrarily often until 
the adversary halts. We view this sequence of steps as logical time, and sometimes use 
the phrase “at a certain point in time” to refer to such a step. Such proactive secure 
asynchronous networks can be implemented based on a secure co-processor [18], or on 
the assumption that the network itself is authentic during short periods of time, allowing 
the exchange of fresh communication keys [19]. 

We assume an adaptive mobile fail- stop adversary. The adversary may corrupt a 
server Pi at any point in time by activating it on a special input action. After such an 
event, she may read the entire internal state of Pi, which includes its random tape but 
not previously erased information. Furthermore, she may observe all messages being 
received, until she leaves the server. During such a period of time, we call a server 
corrupted', at every other point in time, a server is called honest. The adversary may also 
cause a corrupted server to stop executing a protocol. We call an adversary t-limited if 
for any phase t, she corrupts at most t servers that are in a local phase r or r + 1. 

Protocol Execution and Notation. In our model, protocols are invoked by the adversary. 
Every protocol instance is identified by a unique string ID, which is chosen by the 
adversary when it invokes the instance. For a protocol instance ID, we model the specific 
input and output actions of a server in terms of messages of the form {ID, in, ... ) 
and {ID, out, . . . ) that a server may receive and produce, respectively. Messages that 
servers send to each other over the network on behalf of an instance ID have the form 
(ID, type, . . . ), where type is defined by the protocol. We call a message associated 
with a protocol instance ID if it is of the form {ID, .. .). 

We describe a protocol in terms of transition rules that are executed in parallel. Such 
a transition rule consists of a condition on received messages and other state variables, 
and of a sequence of statements to be executed in case the condition is satisfied. We 
define parallel execution of transition rules as follows. When a server is activated and 
the condition of one or more transition rule is satisfied, one such rule is chosen arbitrarily 
and the corresponding statements are executed. This is repeated until no more conditions 
of transition rules are satisfied. Then, the activation of the server is terminated. 

A protocol instance may also invoke another protocol instance by sending it a suit- 
able input action and obtain its output via an output action. We assume that there is an 
appropriate server-internal mechanism which creates the instance for the sub-protocol, 
delivers the input message, and passes the produced output message to the calling pro- 
tocol. Furthermore, we assume that upon termination of a protocol instance, all internal 
variables associated with this instance are erased. 

Efficiency Measures and Termination. We define the message complexity of a protocol 
instance as the number of all associated messages produced by honest servers. It is 
a family of random variables that depend on the adversary and on k. Similarly, the 
communication complexity of a protocol instance is defined as the bit length of all 
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associated messages, and is also a family of such random variables. To define the latency 
(round complexity) of a protocol, we follow the approach of [20], where informally 
speaking the latency of an execution is the absolute duration of the execution divided 
by a longest message delay in this execution, where both times are as measured by an 
imaginary external clock. The latency of a protocol is a latency of a worst-case execution. 
(For details see the full version of [20], page 6.) 

These quantities define a protocol statistic X, i.e., a family of real-valued, non- 
negative random variables {2f^(/c)}, parameterized by the adversary A and the security 
parameter k, where each XA{k) is a random variable induced by running the system 
with A. We call a protocol statistic uniformly bounded if there exists a fixed polynomial 
p{k) such that for all adversaries A, the probability Pr[2fyi(fc) > p{k)] is negligible. 

As usual in asynchronous networks, we require liveness of a protocol, i.e., that “some- 
thing good” eventually happens, only to the extent that the adversary delivers in every 
phase all associated messages among the servers that remain honest during this phase. 
As in [21], we define termination as the combination of liveness and an efficiency con- 
dition, which requires a protocol to have uniformly bounded message complexity, i.e., 
the number of messages produced by the protocol is independent of the adversary. 

Cryptographic Assumptions. Our constructions are based on the assumption that there 
exists pseudo-random functions [13] defined as follows (sketch): Let JFfc denote the set of 
functions from {0,1}* — > {0,1}*, and let e Gn Dom denote the process of choosing an 
element e uniformly at random from domain Dom. Finally, let denote the execution 
of an algorithm D when given oracle access to /, where / is a random variable over Tk- 
We say that D with oracle access distinguishes between two random variables ip and 
g over Tk with gap s(fc), if | Pr[I?’^(l*) = 1] — Pr[I?®(l*) = 1]| = s{k). We say a 
random variable ip over Xk is s(fc)-pseudorandom, if no polynomial time in k algorithm 
D with oracle access distinguishes ip from g Gr Tk with gap s{k). 

A function family Wk = {V'i}/e{o,i}'“ (with ipi G Xk) is called s{k)-pseudorandom, 
if the random variable ipi for I Gr {0, 1}* is s(fc)-pseudorandom. If s{k) is negligible, 
the collection {>f'fc}fcgN is called pseudorandom. We consider pseudorandom collections 
which are efficiently constructible, i.e., there exists a polynomial time algorithm that on 
input l,x G {0, 1}* outputs ipi{x). 

Pseudorandom function families can be constructed from any pseudorandom gener- 
ator [13], which in turn could be constructed from any one-way function [22]. Alterna- 
tively, one could trust and use much simpler constructions based on AES or other widely 
available cryptographic functions. 

In our protocols we make use also of distributed pseudorandom functions (DPRF), 
as introduced by Naor et al. [23]. In a DPRF the ability to evaluate the function is 
distributed among the servers, such that any authorized subset of the servers can evaluate 
the function, while no unauthorized subset gets any information about the function. For 
example, in a threshold DPRF the authorization to the evaluation of the functions is 
determined by the cardinality of the subset of the servers. In the sequel, we denote 
by ^k = {‘Pi}ig{o,i}fc a family of efficiently constructible distributed pseudorandom 
functions. Moreover, we assume that if <Pk denotes a DPRF with threshold k, and if 
every server holds a polynomial K-out-n share Vi of a seed r (where all rfs are from 
the same domain as r) then pr (a:) can be efficiently computed from any set of k values 
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ipn (x) for any position x G {0, 1}*. Threshold DPRFs with this property are also called 
non- interactive. Nielsen [24] showed how to construct efficiently such non-interactive 
threshold DPRFs based on the decisional Diffie-Hellman assumption [25]. 



3 Technical Roadmap 

Hybrid Secret Sharing. A basic tool we need is a n-out-n hybrid secret sharing scheme: 
it allows a dealer to share a secret value among all other servers, such that every server 
receives an additive n-out-n share of the secret, as well as a K-out-n backup share of 
every other server’s additive share (t + 1 < k < n). Moreover, it guarantees to terminate 
for any server if the dealer is honest; otherwise, it either terminates for none or for all 
honest servers. Details of our scheme are given in Section 4. 

Reconstructible Proactive Pseudorandomness (PPR). The key to our solutions for 
proactive secret sharing and for joint random secret sharing is a reconstructible PPR 
scheme. Such a scheme provides at every phase r to every server Pi a secret value j 
which looks completely random to the adversary. Furthermore, any set of n — t servers 
must be able to reconstruct the value ^ of any other server Pj without affecting the 
secrecy of the random value pr^/ ^ computed by this server in another phase r' ^ r. 

Our implementation assumes a trusted dealer that provides in the first phase every 
server Pi with a random key r^, and with a (n — f)-out-n backup share r^i of every 
other server’s key ry. The idea is to compute pr.,. ^ as where {(pi} is a DPRF 

with threshold (n — t), and c is some constant (pseudorandomness and constructibility 
of pr^ j then follows by the properties of DPRFs). This approach requires the servers to 
refresh in every phase their keys (and shares ru, . . . , Vni) such that the fresh keys of 
honest servers are unknown to the adversary. This can be done as follows. 

In a first step. Pi shares the pseudorandom value (a) (where a denotes some 
public constant) among all other servers using a (n — t)-out-n hybrid secret sharing 
scheme, where it derives all random choices using its current key Vi as a seed to a 
pseudorandom function. It then computes its new key r' as the sum of the additive 
shares provided by all these hybrid secret sharing schemes (the new shares r , . . . , rP 
are computed as the sum of all provided backup shares). To do this. Pi waits until n — t 
servers have completed their sharing scheme as a dealer; for every other server Pj, it 
reveals the share Vji. It can now simply wait until either Pj ’s sharing scheme terminates, 
or until it receives enough shares Vji from other servers Pi to reconstruct Vj and derive 
the missing shares thereof; since a sharing scheme terminates either for none or for all 
servers, one of the two cases eventually happens. 

Notice that the servers need not agree on whether to derive the missing shares from 
the sharing schemes, or from the reconstructed key Vj , as both ways provide the same 
values. Our protocol ensures that there is at least one honest server whose sharing scheme 
is not reconstructed. This ensures secrecy of the new keys r'. 

Proactive Secret Sharing (PSS). Suppose that at the beginning of the computation, a 
trusted dealer shares a secret s among the servers. To prevent a mobile adversary from 
learning s, the servers have to compute fresh shares of s whenever they enter a new 
phase. This can be done using a proactive secret sharing scheme. 
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Our implementation for PSS relies on an underlying PPR scheme (initialized by the 
dealer). Furthermore, it assumes that the trusted dealer initially provides every server 
with an additive share of the secret s, and with a (t + l)-out-n backup share of every 
other server’s additive share. 

In an epoch r, the servers refresh their shares of the secret by first re-sharing their 
additive share of s using a (f-|- l)-out-n hybrid sharing scheme; in this step, every server 
Pi derives all its random choices by using the current random value pr^ ^ (provided by 
the PPR scheme) as a seed to a pseudorandom function. 

As in the PPR scheme, every server then computes its fresh additive share of s as the 
sum of the additive shares provided by all re-sharing protocols (the backup shares are 
computed analogously). It therefore waits forn — t re-sharing schemes to terminate, and 
reconstructs the remaining schemes in public. This can be done by reconstructing for 
every corresponding dealer Pj the random value pr^ j as well as Pj ’s current additive 
share of the secret. Reconstructing pr^ j can be done using the reconstruction mechanism 
of the PPR scheme, whereas Pj’s additive share can be reconstructed by revealing the 
corresponding backup shares. 

Joint Random Secret Sharing (JRSS). The goal of a JRSS protocol is to provide 
every server with a.{t+ l)-out-n share of a random value e unknown by the adversary. 
It can be executed repeatedly during the phases. Our implementation works exactly as 
the above protocol for refreshing a sharing, except for the following differences. In an 
instance with tag ID of protocol JRSS, a server Pi derives its random choices from the 
(pseudo)random value ipn{ID) (as opposed to pr^i = (pn{c)), where and {<pi} is 
the current key of Pi and the DPRF, respectively, used by the underlying PPR scheme. It 
then shares a random value and proceeds as above. If the sharing scheme of a server 
Pj needs to be reconstructed, the servers reconstruct only the corresponding randomness 
tprj {ID). Adding up all backup shares provided by the sharing schemes yields the desired 
(t -I- l)-out-n share of the random value e = ci -I- • • • -I- e„. 

Building Proactive Cryptosystems. Our protocols for PSS and for JRSS allow to build 
proactive versions of a large class of discrete logarithm-based cryptosystems without 
the use of expensive agreement sub-protocols. The idea is to share the key of the cryp- 
tosystem using our PSS protocol, and to accomplish the cryptographic operation using 
a distributed protocol. Such a protocol can be derived by combining our JRSS protocol 
with known techniques from threshold cryptography. We illustrate this idea in Section 8, 
considering Schnorr’s signature scheme [17] as example. 



4 Hybrid Secret Sharing 

In this section, we describe the syntax and security properties of our protocol for hy- 
brid secret sharing, HybridShare,.., which will serve as a basic tool in our subsequent 
constructions. A description and analysis of the protocol is given in [1]. 

Intuitively, our hybrid secret sharing protocol allows a dealer to share a secret s 
among n servers in such a way that every server Pi computes an additive share Si 
of the secret, and a K-out-n backup share Sji of every other server’s additive share, 
where t + I < k < n (the idea of backing up additive shares is inspired by [26]). 
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Our specification treats the randomness r used by the dealer as an explicit parameter, 
and requires that the share of every server is a deterministic function of s and r. This 
constructibility of the shares will be essential for our purposes. 

Formally, our sharing protocol HybridShare^ has the following syntax. LetF^ be an 
arbitrary hnite held, denoting the domain of secrets. There is a distinguished server Pd 
called the dealer which activates an instance ID.d of HybridShare^ upon receiving an 
input of the form {ID.d, in, share, s, r), where s G and r G {0, 1}^; if this happens, 
we also say the dealer shares s overFq using randomness r through ID.d. Every other 
server activates ID.d upon receiving a message {ID.d, in, share). A server terminates 
ID.d when it produces an output of the form {ID.d, out, shared, Si, sii, . . . , Sni), where 
■ ■ ■ j G Fg,. 

Our protocol HybridShare^ has message complexity of O(n^), communication com- 
plexity of 0{kn^) bits, and round complexity equal four. Furthermore, for any f-limited 
adversary where f < f , the following holds: Whenever a dealer shares a secret s over 
Fq using randomness r through an instance ID.d of HybridShare^, it holds that: 

Liveness: If the dealer is honest throughout ID.d, then all honest servers terminate 
ID.d, provided all servers activate ID.d in the same phase r, and the adversary 
delivers all messages among servers honest during phase t. 

Agreement: If one honest server terminates ID.d, then all honest servers terminate 
ID.d, provided all servers activate ID.d in the same phase r, and the adversary 
delivers all messages among servers honest during phase r. 

Correctness: The values s and r uniquely dehne n polynomials fj{x) G Fg[x] for 
j G [l,n] of degree k, such that s = /j(0)> and the following holds: If a 

server Pi outputs Si, su, . . . , Sni, then fi{0) = Si and fj{i) = Sji for j G [1, n]. 
Privacy: If the dealer is honest throughout ID.d, and s and r are uniformly distributed 
in F,j and {0, 1}^, respectively, then the adversary cannot guess s with probability 
significantly better than 1 / |Fg | . 

Efficiency: The message complexity of ID.d is uniformly bounded. 



5 Asynchronous Reconstructible Proactive Pseudorandomness 

In this section we give a definition for an asynchronous reconstructible PPR scheme 
along the lines of [12], and describe our implementation. The security proof of the 
scheme is contained in the full version of the paper. 

5.1 Definition 

Let l{k) be a fixed polynomial. An asynchronous reconstructible proactive pseudoran- 
domness scheme consists of a probabilistic setup algorithm a, a proactive pseudoran- 
domness protocol 7T, and a reconstruction protocol p. An instance of such a scheme has 
an associated tag ID and works as follows. 

The setup algorithm cr produces the initial state information states, i and the initial 
random value pr^ j of every server Pi. It is executed at the beginning of the compu- 
tation by a trusted dealer. At the beginning of every phase t G [1, m{k)], the servers 
execute an instance /If|ppr.T of tt to compute a fresh pseudorandom value for phase 
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T. The input action for server Pi carries the state information stater-i,i of the previ- 
ous phase, and has the form {W\ppr.T, in, statCr-i^i)- The output action comprises the 
pseudorandom value pr^ ^ and the updated state information staler It has the form 
{ID\ppr.T, out, prr i, stater,i)-lf Pi does not produce an output in phase r (which could 
be the case if the server was corrupted and halted in the previous phase) then its input 
stater, i to the subsequent instance of tt is the empty input _L. 

In every phase r G [l,m{k)], the servers may execute an instance ID\reCj.T of 
protocol p to reconstruct the current pseudorandom value of server Pj . The corresponding 
input and output actions have the form {W\reCj.T, in, stater, i), and {W\reCj.T, out, Zi), 
respectively, where stater, i denotes the current state information of Pi. We say a server 
reconstructs a value Zifor Pj, if it outputs a message (ID\reCj.T, out, Zi). 

As in [12], we define the security requirements with respect to the following on-line 
attack: The scheme is run in the presence of a f-limited adversary for m{k) phases. At 
every phase r, the adversary may also instruct the servers to reconstruct the value ^ 
of any server. At a certain phase I (chosen adaptively by the adversary), the adversary 
chooses an honest server Pj whose value pr^. j is not reconstructed at that phase. She 
is then given a test value v, and the execution of the scheme is resumed for phases 
( -f 1, . . . , m{k). (Our definition will require that the adversary is unable to say whether 
V is Pj’s output at phase I, or a random value.) 

For an instance ID of a PPR scheme and an adversary A, let A{ID, PR) denote the 
output of A after an on-line attack on ID, when v is indeed the output of Pj-, similarly, 
let A{ID, R) denote the corresponding output when u is a random value. 

Definition 1. Let a, tt, and p be given as above. We call (ct, 7r,p) a f-resilient asyn- 
chronous reconstructible proactive pseudorandomness scheme if for every instance ID, 
and every t-limited adversary A the following properties hold: 

Liveness: Every server Pi honest throughout a phase r G [l,m{k)] terminates in- 
stance 7i2|ppr.T in phase r, provided that in every phase t' G [1, t], the adversary 
activates each server honest throughout t' on ID \ ppr.r' , and delivers all associated 
messages among servers honest during phase t' . Furthermore, if every such server 
Pi subsequently activates ID\reCj .t for some j G [1, n], it reconstructs some value 
Zi for Pj, provided the adversary delivers all associated messages among servers 
honest during phase t. 

Correctness: If a server Pj outputs {ID, out, pr.j. j, staler, j) in some phase r G 
[1, m{k)], and another server Pi reconstructs Zifor Pj in phase t, then Zi = pTr,j- 
Pseudorandomness: | Pr[A{ID, PR) = 1] — Pr[A{ID, i?) = 1]| is negligible. 
Efficiency: The message complexity of an instance of tt is uniformly bounded. 

5.2 Implementation 

Let <I>k = {<Fi}iG{o,i}'= denote a DPRF with threshold n — t, and a, b, c denote distinct 
arbitrary constants in the domain of<Pk- For convenience, we view elements from {0,1}^ 
as elements from F 2 fe (and conversely), according to some fixed bijective map from 
{0, 1}^ to F 2 IC . All computations are done over F 2 )= . 

The Setup Algorithm Cppr. The setup algorithm provides to every server Pi a ran- 
dom value Vi G F 2 fe, and a (f -f l)-out-n share Vji G F 2 fe of the random value 
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of every other server. It therefore chooses n random polynomials fi{x) G F 2 fe[a;] 
of degree f for i G [l,n]. The initial state information of a server is defined as 
stateo^i = (/i(0), /i(i), . . • , /«(*))• The initial pseudorandom value is computed as 
Pro,i ^ <P/i(o)(c). 

The Reconstruction Protocol Ppp,.. Let ri,rn, . . . , Vni denote Pj’s local input to an 
instance ID\reCj.T of protocol ppp,.. Reconstructing the pseudorandom value pr^ j of 
server Pj is straightforward. Every server Pi computes pr^.ji ^ (prj^(c), and sends 
it to every other server. Using the reconstruction mechanism of <l>k, every server can 
compute pr^ ^ upon receiving n — t “shares” pr^ from other servers Pm- 

The Asynchronous Proactive Pseudorandomness Protocol TTppr. Let r*, rii, . . . , r„j 

denote server Pi’s local input statCr-i^i to instance /Pjppr.r of TTpp,.. To refresh this 
sharing, and to compute fresh pseudorandom values j}, every server Pi executes 
the following transition rules in parallel. 

Share: When Pi invokes the protocol with non-empty input, it shares the pseudo- 
random value (finisi) over F 2 IC using randomness Pri(t>) through an instance 
/P|ppr.T|share.i of protocol HybridShare„_j. 

Share-Termination: Whenever Pi terminates a sharing protocol /P|ppr.T|share.j, 
it stores the corresponding output in the local variables dji,dju, . . . , djni- If the 
(n — f)’th such sharing protocol has terminated and Pi has received non-empty 
input before, it sends to all servers a reveal message containing the values (a) 
and (b) for servers Pm whose sharing protocol did not terminate yet. 
Reconstruct: Whenever Pi receives n — t values (a) , Pr-mi (b) for a server Pm, it 
reconstructs (p,.^ (a) and using the reconstruction mechanism of It then 

computes the values dmi, dmii, ■ ■ ■ , dmni as the i’th share when sharing a secret 
(pr„(a) using randomness Pr^O^) according to protocol HybridShare„_j. 
Combine: When Pi has computed values dji,dju, . . . ,djni for every j G [l,n], it 
computes its local output values ^ and stater, i — ■ • ■ Uni) as r- ^ 

Ej=i dji, r'm, ^ djmi for m G [1, n], and pVr,i ^ <Pr'(c). 

The scheme guarantees pseudorandomness because the pseudorandom values pr^ (a) 
and pr^ (b) of at least one honest server remain hidden from the adversary. This is 
guaranteed because all honest servers together reveal at most (n — t)t “shares” (a) 
and pr^j{h). But to reconstruct Pn{a.) and Pn{b) of all (n — t) honest servers, the 
adversary needs at least (n — t){n — 2t) > {n — t){t + 1) such shares, as the threshold 
of d'k is {n — t). 

The reason why the scheme avoids an agreement (while preserving constructibility) 
is the following: if an honest server Pi terminates the protocol /U|ppr.T|share.j and 
computes the tuple {dji, dju, . . . , djni), then this is the same tuple it would compute by 
first reconstructing the randomness rj of Pj from backup shares, and then reproducing 
the computations of Pj in the sharing protocol /U|ppr.T|share.j. Hence, the servers do 
not have to agree whether to compute their share of Pj ’s sharing protocol by the Share- 
Termination or the Reconstruct transition rule, respectively, as both rules provide 
the same share. We prove the following theorem in [1]. 
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Theorem 1. (cppr, TTpp,., ppp,.) is a t-resilient asynchronous reconstructible proactive 
pseudorandomness scheme for t < n/3. It has a latency of five rounds, uses 0{n^) 
messages, and has a communication complexity ofO{knf) bits. 

6 Refreshing a Sharing 

In this section we define an asynchronous PSS scheme along the lines of [9], and sketch 
our implementation. The security proof of the scheme can he found in [1]. 

6.1 Definition 

Let K denote the domain of possible secrets, S denote the domain of possible shares, 
and l{k) a fixed polynomial. An asynchronous proactive secret sharing scheme consists 
of a setup algorithm a, a proactive refresh protocol tt, and a reconstruction protocol p. 
An instance of a PSS has a tag ID and works as follows. 

The setup algorithm produces for each server Pi the initial state information state^^i 
and the initial share so,i G S' of the secret. It is executed at the beginning of the computa- 
tion by the trusted dealer. At the beginning of every phase t G [1, m{k)] the servers exe- 
cute an instance ID \ ref .t of protocol tt to refresh the old share Sr-i,i, and to update the 
state statcr-iy. The corresponding input and output actions of server Pi have the form 
(/If|ref.T, in, Sr-i,i, stater-i,i) and (7i9|ref.T, out, Sr,i, stater, i), respectively, where 
Sr-i,i and stater-i,i equal _L in case Pi did not produce an output in phase r — 1. 

In every phase r G [l,m(fc)], the servers may execute an instance IDfec.r of 
protocol p to reconstruct the secret. The input and output actions for server Pi have 
the form {IDfec.r, in, Sr,i), and (7i9|rec.T, out, zf), respectively, where Sr,i denotes the 
current share as computed by the instance ID \ ref .t. We say that a server reconstructs a 
value Zi, when it outputs a message {IDfec.r, out, Zi). 

Definition 2. Let a, tt, and p be given as above. We call (cr, tt, p) a f-resilient asyn- 
chronous proactive secret sharing scheme, if for every instance ID, and every t-limited 
adversary the following properties hold: 

Liveness: Every server Pi honest throughout a phase t G [l,m{k)] terminates instance 
ID I ref .r in phase t, provided that in every phase t' G [1, r], the adversary activates 
every server honest throughout phase t' on ID\reI .t' , and delivers all associated 
messages among servers honest during phase t' . Further, if every such Pi subse- 
quently activates ID\r&c.T, it reconstructs some value Zi, provided the adversary 
delivers all associated messages among servers honest during phase r. 
Correctness: After initialization, there exists a fixed value s G K. Moreover, if an 
honest server reconstructs a value Zi, then Zi = s. 

Privacy: Ai long as no honest server activates an instance of p, the adversary cannot 
guess s with probability significantly better than l/lfTl. 

Efficiency: The message complexity of tt and p is uniformly bounded. 

We stress that the security of the sharing does not depend on the timely delivery of 
messages. Even if the adversary fails to deliver the messages within prescribed phase, 
the privacy of the shared secret is not compromised. 
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6.2 Implementation 

Our implementation of the PSS scheme is a suitable example to illustrate how the PPR 
scheme introduced in the previous section can be used to avoid the need for agreement 
even if it seems to be inherently necessary. We therefore briefly recall the standard 
solution [9] for PSS that depends on agreement. Here, every server initially receives 
a (f + l)-out-n share of the secret. To refresh the shares, every server provides every 
other server with a (f + l)-out-n sub-share of its own share, using a suitable sharing 
scheme. The servers then agree on a set of at least t+l servers whose re-sharing scheme 
terminates for all honest servers, and compute the new share as the linear combination 
of the received sub-shares (with Lagrange coefficients). 

We follow the same approach (see Section 3), but avoid agreement by reconstructing 
the re-sharing schemes of the slowest (possibly crashed) servers in public. However, 
this approach only works if the publicly reconstructed sub-shares are identical to the 
ones which the re-sharing scheme would produce. Otherwise, the servers would again 
have to agree on which sub-shares to reconstruct, and which to take from the re-sharing 
schemes. This is where the PPR scheme comes in handy, as it allows to reconstruct the 
random choices made by a server when it is re-sharing its share. The technical details 
are given below. Let the domain of possible secrets be a held Fg where q < 2^. All 
computations are in Fg or F 2 fe , as is clear from the context. 

The Setup Algorithm Upss. The setup algorithm provides every server with an additive 
share Si of a randomly chosen secret, and with a {t + l)-out-n share sji of every other 
server’s additive share. It therefore chooses n random polynomials fi{x) G Zg[x] of 
degree t for i G [1, n] (the secret is defined as s = X)r=i initial share of server 

Fi is defined as so.i = (s^, su, s„i), where Si = fi(0) and Sji = fj{i). 

Additionally, the setup algorithm provides every server with the initial state informa- 
tion needed to initialize a PPR scheme. It therefore runs the setup algorithm Upp,., and 
computes the initial state information stateo,i of server Pi as the tuple {statcQ^l, pr^ j) 

The Reconstruction Protocol ppss. The reconstruction protocol is straight forward. 
Every server Pi sends its input Sr^i = (si, sii, . . • , Sni) to every other server. Upon 
receiving t + l such values the server interpolates all missing shares sj from the received 
sub-shares Sji by Lagrange interpolation, and computes the secret as s = X)y=i ^j- 

The Refresh Protocol itpss- Let (si, sii, . . . , s„i) and ^,pr^_i i) denote 

server Pi’s local input Sr-i,i and stater-i,i, respectively, to instance LDjref.r. To com- 
pute a fresh share (s', . . . , sP) and updated state information {state^^l ^ pr ^ ,), every 

server Pi executes the following transition rules in parallel; 

Share: When Pi invokes the protocol, it activates an instance /Ujppr.T of protocol 
TTppr with input ^ to compute pr^ J. Furthermore, if Pi received 

non-empty input, it shares its share Si over Fg using randomness pr^_i j through 
an instance 7i9|ref.r|share.i of protocol HybridShare(_(.]^. 

Share-Termination: Whenever Pi terminates an instance /U|ref.T|share.j of a shar- 
ing protocol , it stores the corresponding output in the local variables Cji, 
Cjii , . . . , €jni- If for n — t servers Pj the corresponding protocols /U|ref.T|share.j 
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have terminated, it sends the indices of all servers whose sharing protocol did not 
terminate yet to every other server in a missing message. 

Reveal: If for some index to, Pi receives (n — t) missing messages from other servers 
containing this index and has received non-empty input before, it sends a reveal 
message to every other server containing the backup share Smi and the index to. 
Next, it activates the instance ZDjreCm.r of protocol Ppp,. with input ^ to 

reconstruct the randomness pr^_i ^ of Pm - 
Reconstruct: Whenever Pi receives {t + 1) reveal messages for the same index m 
and reconstructs the value pr^_-^ ^ for P ^, it computes the share Sm from the 
received backup shares by Lagrange interpolation. It then computes the tuple { cmi , 
Cmii, • ■ • , emni) as the i’th share when sharing Sm using randomness pr^_i 
Combine: When Pi has computed values (cmi, Gmii, ■ ■ ■ ,emni) for all to C 

it computes the new share (s', s [^, . . . , sP) as follows: s' <— eyi, s'^i ^ 

Z)i=i ^jmi for TO G [1, n ]. 

Notice that the protocol has the same message flow as the pseudorandomness protocol 
TTpp,., except for the additional missing messages. They ensure the secrecy of the share Sh 
of at least one honest server Ph, and are needed because the servers hold a{t+ l)-out-n 
hybrid sharing of the secret s. We remark that for refreshing a (n — f)-out-n hybrid 
sharing, the servers could omit waiting for f + 1 such messages, and could execute the 
Reveal rule directly at the end of the Share-Termination rule. This would save one 
communication round. The proof of the following theorem can be found in [1]. 

Theorem 2. The tuple {<Jpss,T^pss, Ppss) is a t-resilient asynchronous proactive secret 
sharing scheme fort < n/3. The refresh protocol iTpssUses 0 { vf ) messages, has latency 
of six rounds and communication complexity of 0 { kn ^). 

1 Asynchronous Proactive Joint Random Secret Sharing 

The goal of an asynchronous proactive joint random secret sharing scheme is to enable 
the servers to repeatedly generate (f -f l)-out-n sharings of random values, such that the 
random values remain hidden from the adversary. Due to lack of space, we only sketch 
the definition and implementation. 

Definition. An asynchronous proactive joint random secret sharing (JRSS) scheme 
consists of a setup algorithm cr, a proactive update protocol tt, a joint random secret 
sharing protocol 7 , and a reconstruction protocol p. An instance of such a scheme has a 
tag ID and works as follows. 

At the beginning of the computation, a trusted dealer executes the setup algorithm cr 
and provides every server with its initial state information staten^i- At the beginning of 
every phase r G [1, m { k )], the servers execute protocol tt to update the state information 
{stateT-i^i}- During every phase r G [l,TO.(fc)], the servers can repeatedly execute 
protocol 7 to generate a sharing of a random value Zc in a domain K. Every such 
instance has a unique tag /D|gen^. For every server Pi, it takes the current state infor- 
mation stater, i as input, and produces as output a share Sc,i of the random value Zc- These 
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shares may serve as input to the reconstruction protocol p with tag ID\reZc, which 
produces for every server a value as output. 

For a JRSS scheme to be secure, we require that when the first server completes an 
instance ID\ger\^, there is a fixed value Zc such fhat the following holds: (Correctness) If 
a server Pi terminates ID\reCc and outputs Zc^i, then Zc^i = Zc- Furthermore, (Privacy) as 
long as no honest server activates ID \ reCc, the adversary cannot guess Zc with probability 
significantly better than l/|Ff |. 

Implementation. Our implementation builds on our PPR scheme (uppr, TTpp,., Pppr) . Let 

= {(fii} denote the DPRF family used by the PPR scheme, a and b denote two distinct 
constants, and H : {0, 1}* ^ {0, 1}^ denote a collision resistant hash function (it is 
well-known how to construct such functions from standard computational assumptions 
such as the hardness of the discrete-logarithm problem). 

The state information {stater, i} of our JRSS scheme comprises only the state in- 
formation of our PPR scheme, i.e., stater, i — . . . ,rni)- Protocols Ojrss and 

TTjrss for setting up and refreshing this state, respectively, consist only of calling the 
protocols cTppr and TTppr. The protocol 7jrss for generating sharings of random values 
in {0, 1}^ works as follows. Given input stater, i — {ri,ru, . . . ,rni) to an instance 
ID\gen^ of Tjrss, every server Pi performs the following steps (all computations are done 
in F 2 fc). 



Share: When Pi invokes the protocol with non-empty input, it shares 
ipn{'H{ID\gen^\a)) overF 2 fe through an instance of protocol HybridShare(_p]^ with 
tag /Ulgen^lshare.i using randomness <pri{'H{ID\gen^\D)) . 

Share-Termination: Whenever Pi terminates a sharing protocol /Ulgen^lshare.j, it 
stores the corresponding output in local variables eji, eju , . . . , ejm- Once n — t 
sharing protocols have terminated and Pi has received non-empty input before, 
it sends to all servers a reveal message containing values 
and lpr,^^{'H{ID\genJh)) for servers P^ whose sharing protocol did not terminate 
yet. 

Reconstruct: Upon receiving n — t reveal messages for the same index m. Pi recon- 
structs values (Lf(/U|gen^|a)) and (/9r„,(T((/iJ|gen^|b)) (using the threshold 
evaluation property of I>k) and derives the missing sub-share Cmi, emii, ■ • • , Cmni- 
Combine: When Pi has computed values {cmi, emit, ■ ■ ■ , emni) for every m G [1, n], it 
computes Sc,i — (s^, . . . , Snt') as follows. Si < ^^j — 1 eji, Smi ^ ^^j — 1 ejmi 

for m G [1, n]. 

The shared secret value Zc is never reconstructed but equals protocol 

has a latency of five rounds, a message complexity of O(n^), and a communication 
complexity of 0{kn^) bits. 

An instance /U|reCc of the reconstruction protocol pj^ss works as follows. Every 
server i sends its share Sc,i = (sj, Sii, . . . , s„i) — which it receives as input — to every 
other server. Upon receiving t+1 such values. Pi derives all values Sj from the received 
sub-shares Sjm by Lagrange interpolation and computes the secret as Zc = 
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8 A Simple Proactive Secure Signature Scheme 

Our protocols for PSS and JRSS can be used to proactivize a large class of discrete- 
logarithm based public-key cryptosystems for signing and encryption. In this section, 
we sketch how this can he done considering Schnorr’s signature scheme as an example. 

Let p denote a large prime, and {g) denote a multiplicative subgroup of Z* of prime 
order q such that q\p—\.h\ the regular centralized Schnorr signature scheme, the secret 
key X of the signer is a random element from Zg, and the public key is y = g^. To sign 
a message m C { 0 , 1 }*, the signer picks a random number r G Zg, and computes the 
signature (p, ct) as p ^ ( 7 ’’ mod panda ^ r-|-7f(m||p)x mod g. A signature (p, a) 
on a message m can then be verified by checking that g'^ = pj/’^(™ll^) mod p. 

In a proactive signature scheme, the power to sign a message is distributed among 
the servers such that in every epoch, only a set of at least f -|- 1 servers can generate 
valid signatures, whereas any smaller set can neither compute a signature nor prevent the 
overall system from operating correctly. For a formal treatment of proactive signature 
schemes we refer to [ 12 ]. 

Proactivizing Schnorr’s signature scheme in the above sense can be done as follows. 
First, a trusted dealer chooses the values p, q, g, x as in the standard Schnorr scheme, 
and initializes a PSS scheme with a sharing of x. It also initializes a JRSS scheme, 
and announces the public parameters p, q, g and y. To compute a signature (p, a) on a 
message m, every server i performs the following steps: 

generate p = g^: 

( 1 ) Use the underlying JRSS scheme to compute a (f -|- 1 ) -out-n share of a random 
value r G Zq. 

(2) Reveal the value pi = g'"' mod p to all other servers. 

(3) Upon receiving f -|- 1 values pj , compute p from the values pj hy using Lagrange 
interpolation in the exponent, i.e., p ^ OieQ mod p. Here, Q denotes the 
indices of the received values pi, and Aj the Lagrange interpolation coefficient for 
the set Q and position 0. 

generate a = r + 'H{m\\p)x: 

(1) Reveal the value Ui = Xi + Ti{m\\p)xi mod q to all other servers; here, Xi 
denotes server z’s current share of x as computed hy the underlying PSS scheme. 

(2) Upon receiving t -b 1 values CTj , compute cr by using Lagrange interpolation, i.e., 

cr ^ ^3^3 mod q. Here, S denotes the indices of the received values ctj, 

and \j the Lagrange coefficients for the set S and position 0. 

Verification of the computed signature can be done exactly as in the centralized 
Schnorr scheme. One can show that this proactive signature scheme is as secure as the 
centralized Schnorr scheme in the following sense: If there exists a f-limited mobile 
adversary against the proactive signature scheme that can forge a signature (under an 
adaptively chosen message attack), then there exists an adversary against the centralized 
Schnorr scheme that can forge signatures (under an adaptively chosen message attack). 

Proactivizing other discrete-logarithm signature schemes such as ElGamal [15] or 
DSS [16] can be done in a similar way (to solve the inversion problem that occurs in 
DSS, one can use the approach of [27]). 
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9 Conclusions and Open Problems 

In this paper, we have presented the first asynchronous schemes for proactive secret 
sharing and proactive joint random secret sharing with a bounded worst case complexity. 
Moreover, our solutions run three times faster (in terms of latency) than the best known 
previous solutions. 

The technical novelty of our schemes is that they do not rely on an agreement sub- 
protocol. The fact that agreement can be avoided is surprising on its own, as all known 
previous techniques for implementing such schemes require the servers to have at some 
point a common view of which servers have been crashed. 

A natural open problem is to enhance our techniques to tolerate a Byzantine adversary. 
Here, the main difficulty lies in designing a verifiable version of our hybrid secret sharing 
scheme. In such a scheme, the dealer must be committed to a random value (of the same 
size as the secret), such that every server can verify that the dealer has indeed computed 
the shares by using this random value as a seed to a pseudorandom function. In principle, 
this can be done using the technique of general zero-knowledge proofs [10]. We suggest 
it as an open research problem to construct a pseudorandom function together with 
efficient zero-knowledge proofs for this task. 
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Abstract. We consider the problem of increasing the threshold param- 
eter of a secret-sharing scheme after the setup (share distribution) phase, 
without further communication between the dealer and the sharehold- 
ers. Previous solutions to this problem require one to start off with a 
non-standard scheme designed specifically for this purpose, or to have 
communication between shareholders. In contrast, we show how to in- 
crease the threshold parameter of the standard Shamir secret-sharing 
scheme without communication between the shareholders. Our technique 
can thus be applied to existing Shamir schemes even if they were set up 
without consideration to future threshold increases. 

Our method is a new positive cryptographic application for lattice 
reduction algorithms, inspired by recent work on lattice-based list decod- 
ing of Reed-Solomon codes with noise bounded in the Lee norm. We use 
fundamental results from the theory of lattices (Geometry of Numbers) 
to prove quantitative statements about the information-theoretic secu- 
rity of our construction. These lattice-based security proof techniques 
may be of independent interest. 

Keywords: Shamir secret-sharing, changeable threshold, lattice reduc- 
tion, geometry of numbers. 



1 Introduction 

Background. A (t, n)-threshold secret-sharing scheme is a fundamental crypto- 
graphic scheme, which allows a dealer owning a secret to distribute this secret 
among a group of n shareholders in such a way that any t shareholders can 
reconstruct the secret, but no subset of less than t shareholders can gain infor- 
mation on the secret. Classical constructions for (t,n) secret-sharing schemes 
include the polynomial-based Shamir scheme [18] and the integer-based Chinese 
Remainder Theorem (CRT) scheme [2]. 

A common application for (t, n) secret-sharing schemes is for achieving ro- 
bustness of distributed security systems. A distributed system is called robust 
if system security is maintained even against an attacker who manages to break 
into/eavesdrop up to a certain number of components of the distributed system. 
For example, access control to a system can be enforced using a secret shared 
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among n system servers using a (t, n)-threshold secret-sharing scheme, while 
maintaining security if less than t servers are compromised. In such applica- 
tions, the threshold parameter t must be determined by a security policy, based 
on an assessment which is a compromise between the value of the protected sys- 
tem and attacker capabilities on the one hand (which require as high a threshold 
as possible) and user convenience and cost on the other hand (which require as 
low a threshold as possible). In many settings, the system value and attacker 
capabilities are likely to change over time, thus requiring the security policy 
and hence threshold parameter t to vary over time. In particular, an increase 
in system value or attacker capabilities after the initial setup with a relatively 
low threshold parameter t, will require an increase in the threshold parameter 
to a higher value t' > t. The longer the lifetime of the system, the more likely 
that such a change will be needed. Note that we assume that shareholders will 
cooperate honestly in making the transition to the larger threshold t' > t, since 
the attacker in our setting is an outsider. 

Previous Solutions. A trivial solution to the problem of increasing the threshold 
parameter of a (t, n)-threshold secret-sharing scheme to t' > t is for the share- 
holders to discard their old shares and for the dealer to distribute new shares of 
a (t',n) secret-sharing scheme to all shareholders. However, this solution is not 
very attractive, since it requires the dealer to be involved after the setup stage 
and moreover requires communication between the dealer and each shareholder 
(such communication may be difficult to establish after the initial setup stage). 

A much better solution would allow the threshold to be changed at any time 
without any communication between the dealer and shareholders after the setup 
stage. We say that such schemes allow dealer-free threshold changeability. A 
trivial dealer-free threshold changeable scheme can be constructed as follows: 
the dealer initially sets up n — t -I- 1 threshold schemes for each possible future 
threshold t' G {t,t 1, . . . , n}, and gives to each shareholder n — t -I- 1 shares 
of the secret. Namely, for each t' G {t,. . . ,n}, the shareholder receives a share 
of the secret for a (<', n)-threshold scheme. Such a trivial scheme may not be 
applicable because of the following drawbacks: 

(1) Non-standard Initial Scheme: The dealer must plan ahead for future thresh- 
old increases by initially setting up a non-standard (t, n)-threshold scheme 
designed specifically for threshold-changeability, whose shares consist of n — 
t-|-l shares corresponding to the n-t-\-l underlying (<', n)-threshold schemes. 
Hence the trivial scheme cannot be applied to increase the threshold of ex- 
isting standard Shamir (t, n)-schemes which were not originally designed for 
threshold changeability and in which each shareholder has only a single share 
of one Shamir (t, n)-scheme. 

(2) Large Storage/Communication Requirements for Shareholders: Each share- 
holder must receive and store n — t -\- 1 shares, where each share is as long 
as the secret (assuming that perfect security is desired). Hence the trivial 
scheme cannot be applied when storage or communication costs for n-t-\-l 
shares are prohibitive. 
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Other ‘dealer-free’ solutions to the threshold increase problem have been 
proposed in the literature (see related work below), but they all suffer from at 
least one of the two drawbacks above, or they require communication between 
the shareholders. 

Our Contributions. In this paper, we present a new method for increasing the 
threshold of the standard Shamir (t, n)-threshold secret-sharing scheme[18], which 
does not have any of the drawbacks discussed above. In particular, and in con- 
trast to previous solutions, our method does not require communication between 
the dealer and shareholders after the initial setup stage nor between sharehold- 
ers, and can be applied to existing Shamir schemes even if they were set up 
without consideration to future threshold increase. Storage and communication 
costs are the same as for the standard Shamir scheme. 

The basic idea of our method is the following: to increase the threshold from 
t to t' > t, the shareholders add an appropriate amount of random noise to 
their shares (or delete a certain fraction of the bits of their share) to compute 
subshares which contain partial information about (e.g. half the most-significant 
bits of) the original shares. Since the subshares contain only partial information 
about the original shares, a set of t subshares may no longer be sufficient to 
reconstruct the secret uniquely, but if one observes a sufficiently larger number 
f > t of subshares then one can expect the secret to be uniquely determined by 
these t' subshares (e.g. if the subshares contain only half the information in the 
original shares then one can expect that t' = 2t subshares will uniquely determine 
the secret)^. By replacing the share eombiner algorithm of the original {t,n)~ 
threshold secret-sharing with an appropriate ‘error-correction’ algorithm which 
can uniquely recover the secret from any t' subshares, we obtain the desired 
threshold increase from t to t' , leaving the secret unchanged. 

Our efficient ‘error-correction’ combiner algorithm for the Shamir secret- 
sharing scheme is constructed using lattice basis reduction techniques. Thus, 
our method is a new positive cryptographic application for lattice reduction 
algorithms. Furthermore, we make use of fundamental tools from the theory 
of lattices (Geometry of Numbers) to prove quantitative statements about the 
information-theoretic security and correctness of our construction. These lattice- 
based security proof techniques may be of independent interest. 

Although our threshold-increase method does not yield a perfect (F, n) secret- 
sharing scheme, we obtain a useful result about the information-theoretic secu- 
rity of our method, which we believe suffices for many applications. Roughly 
speaking, we prove that for any desired e > 0, our method can be used to change 
the threshold to t' > t (meaning that any t' subshares can be used to recover 
the secret) such that any ts <t' — {f /t) observed subshares leak to the attacker 
at most a fraction e of the entropy of the secret, where e can be made as small 
as we wish by an appropriate choice of security parameter. 



^ We remark that this intuitive reasoning is not rigorous, and indeed there exist ex- 
amples for which it is incorrect. However, our results show that it is approximately 
true for the Shamir scheme. 
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Interestingly, our lattice-based methods can be adapted also to change the 
threshold of the standard integer-based Chinese Remainder Theorem (CRT) 
secret-sharing scheme [2]. We provide full details of this result in a companion 
paper [22]. 

Related Work. Several approaches to changing the parameters of a threshold 
scheme in the absence of the dealer have been proposed in the literature. The 
technique of secret redistribution^, 16] involves communication among the share- 
holders to ‘redistribute’ the secret with the a threshold parameter. Although this 
technique can be applied to standard secret-sharing schemes, its disadvantage is 
the need for secure channels for communication between shareholders. Methods 
for changing threshold which do not require secure channels have been studied 
in [4,14,15,13], but they all require the initial secret-sharing scheme to be a 
non-standard one, specially designed for threshold increase (as a simple example 
of such a non-standard scheme, the dealer could provide each shareholder with 
two shares of the secret: one share for a (t, n) scheme and one share for a {t' , n) 
scheme) . 

Our scheme uses a lattice-based ‘error-correction’ algorithm which is a slight 
variant of an algorithm for ‘Noisy Polynomial Approximation’ with noise bounded 
in the Lee norm [20] . This algorithm in turn is one of a large of body of recent 
work on ‘list decoding’ of Reed-Solomon and Chinese Remainder codes [9, 19, 6, 
21]. We remark also that although the correctness proof of our scheme is based 
on the work of [20], our security proof is new and the lattice-based techniques 
used may be of independent interest. 

Organization of This Paper. Section 2 presents notations, known results on lat- 
tices, and a counting lemma that we use. In Section 3, we provide definitions 
of changeable-threshold secret-sharing schemes and their correctness/security 
notions. In Section 4 we present the original Shamir (t, n)-threshold secret shar- 
ing scheme, and our threshold-changing algorithms to increase the threshold to 
t' > t. We then provide concrete proofs of the correctness and security proper- 
ties of our scheme. Section 5 concludes the paper. Due to page limitations, some 
proofs have been omitted. They are included in the full version of this paper, 
available on the authors’ web page. 

2 Preliminaries 

2.1 Notation 

Vectors and Polynomials. For a vector v G IR", we write v = (v[0], . . . , v[n— 1]), 
where, for i = 0, ... ,n — 1, v[i] denotes the ith coordinate of v. Similarly for 
a polynomial a{x) = a[0] -I- a[l]a; -I- . . . -I- a[t — , we let a[i] denote the 

coefficient of x*. For a ring R, we denote the set of all polynomial of degree at 
most t with coefficients in the ring R by R[x; t]. 

Lee and Infinity Norm. For a prime p and an integer z we denote Lee norm 
of z modulo p as ||^||i,p = min^g^ \z — kp\. Similarly, for a vector v G 2", we 
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define the Lee norm of v modulo p by ||v||i_p = maxo<i<„_i ||v[i]||i_p. For a 
vector z = {zi, . . . , Zn) G M", we denote the infinity norm of z by ||z||oo = 
maxi<j<„ \zi\. For integers a and p, we denote a modp by \a\p- For real z we 
define Int{z) = [z] — 1 as the largest integer strictly less than z. 

Sets. For a set S, we denote by #5* the size of S. For any set S and integer n, 
we denote by S'” the set of all n-tuples of elements from S and by I?(S") the 
set of all n-tuples of distinct elements from S. For integer n, we denote by [n] 
the set {1,2,..., n}. 

Entropy. We denote by log(.) the logarithm function with base 2. For a discrete 
random variable s with probability distribution Ps{.) on a set S, we denote by 
H{s G S) = Ps(x) log(l/Ps(a;)) the Shannon entropy of s. Let t be any 

other random variable on a set T, and let u denote any element of T. Let Ps{.\u) 
denote the conditional probability distribution of s given the event t = u. We 
denote by H{s G S\u) = Pg(a;|'u) log(l/Ps(a;|M)) the conditional entropy 

of s given the event t = u. 

2.2 Lattices 

Here we collect several known results that we use about lattices, which can be 
found in [8, 10, 7]. Let (bi, . . . , b„} be a set of n linearly independent vectors in 
M". The set 



£ = |z:z = cibi -k . . . -I- c„b„, ci, . . . ,c„ G 2} 

is called an n- dimensional (full-rank) lattice with basis |bi,...,b„}. Given a 
basis B = (bi,...,b„) G M" for a lattice £, we define the associated basis 
matrix Mc.b to be the (full-rank) n x n matrix whose ith row is the tth basis 
vector hi for i = 1, . . . ,n. The quantity | det(M£_B)| is independent of B. It is 
called the determinant of the lattice C and denoted by det(£). 

Given a basis for lattice £, the problem of finding a shortest non-zero vector in 
C is known as the shortest vector problem, or SVP. An algorithm is called an SVP 
approximation algorithm with \\-\\oo-approximation factor jsvp if it is guaranteed 
to find a non-zero lattice vector c such that ||c||oo < 7 svp min^g^^o l|v||oo- 
The celebrated LLL algorithm of Lenstra, Lenstra and Lovasz [12] is a fully 
polynomial time SVP approximation algorithm with jj • jj oo-approximation factor 
ILLL = n^/^2”/^. Also, as shown in[l,ll], there exists an SVP approximation 
algorithm with jj • jj co-approximation factor which polynomial time 

in the size of elements of Mcl but not in dimension of C. 

In this paper we actually need to solve a variation of SVP called the closest 
vector problem (GVP): given a basis of a lattice £ in M" and a “target” vector t G 
IR", find a lattice vector c such that ||c— tjjoo is minimized. An algorithm is called 
a CVP approximation algorithm with || • \\ao- approximation factor jcvp if it is 
guaranteed to find a lattice vector c such that jjc— tjjoo < 7cvpminve£ ||v— t||oo. 
BabaijS] has shown how to convert the LLL algorithm into a fully polynomial 
GVP approximation algorithm with H-jloo-approximation factor ysab = n^/^2"/^. 
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In our proof of security we use several fundamental theorems from the theory 
of lattices (‘Geometry of Numbers’). The original theorems are quite general, 
but the restricted versions stated below suffice for our purposes. First, we need 
the following definition of successive Minkowski minima of a lattice. 

Definition 1 (Minkowski Minima). Let C he a lattice in M". For i = 1, ... ,n, 

the ith succesive Minkowski minimum of L, denoted \i{L), is the smallest real 
number such that there exists a set {bi, . . . , b^} ofi linearly-independent vectors 
in C with ||bj||oo < Ai(£) for all j = 1, . . . , i. 

Note that Ai(/1) is just the shortest infinity-norm over all non-zero vectors in 
C. Next, we state Minkowski’s ‘first theorem’ in the geometry of numbers. 

Theorem 1 (Minkowski’s First Theorem). Let L he a lattice in M" and 
let Ai(£) denote the first Minkowski minimum of C (see Def. 1). Then Ai(£) < 
det(£) " . 

We will use the following point-counting variant of Minkowski’s ‘first theo- 
rem’, which is due to Blichfeldt and van der Corput(see [8]). 

Theorem 2 (Blichfeldt-Corput). Let L he a lattice in IR" and let K denote 
the origin- centered box {v G M" : ||v||oo < H} of volume V ol{K) = (2iL)". 
Then the number of points of the lattice C contained in the box K is at least 
^ ( 2 ^det^i) ) where for any z G M, Lnt{z) denotes the largest integer 

which is strictly less than z. 

Finally, we will also make use of Minkowski’s ‘second theorem’ [8]. 

Theorem 3 (Minkowski’s Second Theorem). Let C he a full-rank lattice 
in M" and let Ai(£),. . . ,A„(£) denote the n Minkowski minima of L (see Defi- 
nition 1 ). Then Ai(£) • • • A„(£) < 2" det(£). 

2.3 An Algebraic Counting Lemma 

The following is a fundamental lemma that we use, interestingly, for both the 
correctness and security proofs of our construction. Fix a prime p defining the 
finite field 2p, positive integer parameters (n,t,H), and an arbitrary set A of 
polynomials of degree at least 1 and at most t over 2p. The lemma gives us an 
upper bound on the probability that, for n randomly chosen elements a\, . . . ,a^ 
of there will exist a polynomial a{x) G A which has ‘small’ absolute value 
modulo p (less than H) at all the points «i, . . . , a^. We remark that a similar 
(and more general) lemma was used in the analysis of a polynomial approxima- 
tion algorithm [20]. Note that the lemma does not hold in general if we allow 
A to contain constant polynomials, since these polynomials may have constant 
coefficient smaller than H. 

Lemma 1. Fix a prime p, positive integers {fi,t,H), and a non-empty set A 
of polynomials of degree at least 1 and at most t with coefficients in Zp. Let 
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£{n,t,H,A) C Zp denote the set of vectors a = G for which 

there exists a polynomial a G A such that ||a(a;i)||i^p < H for all i = 1, . . . ,n. 
The size of the set £{n, t, H, A) is upper hounded as follows: 

#£{n,t,H,A) < #1- {2Htf. 

Proof. Suppose that a = (oi, . . . ,a^) G Z^ is such that there exists a polyno- 
mial a G A such that 

\\a{ai)\\L,p<H ior i=l,...,fi. (1) 

It follows that there exist n integers ri, . . . , such that, for each i = 1, . . . , n, 
we have a{ai) — = 0 (mod p) with \ri\ < H and hence Oj is a zero of the 

polynomial gi{x) = a{x) — over Zp. But for each i, gi is a polynomial of degree 
at least 1 and at most t over Zp and hence has at most t zeros in Zp. So for 
each possible value for (ri, . . . , r„) G {—H, H)^ and a G A, there are at most t” 
‘bad’ values for a = (oi, . . . ,a^) in (Zp)” such that (1) holds. Using the fact 

that there are less than (2iJ)" possible values for (ri, . . . , r^) and less than ff A 
possible values for a, the claimed bound follows. □ 



3 Definition of Changeable-Threshold Secret-Sharing 
Schemes 

We will use the following definition of a threshold secret-sharing scheme, which 
is a slight modification of the definition in [17]. 

Definition 2 (Threshold Scheme). A {t , n) -threshold secret- sharing scheme 
TSS = (GC, D, C) consists of three efficient algorithms: 

1. GC (Public Parameter Generation) : Takes as input a security parameter k G 
Af and returns a string x G X of public parameters. 

2. D (Dealer Setup): Takes as input a security /public parameter pair {k,x) and 
a secret s from the secret space S{k,x) C {0, and returns a list of 
n shares s = (si,...,s„), where Si is in the ith share space Si{k,x) for 
f = 1, . . . , n. We denote by 

Dfc,x(-, •) : S{k, x) X 7l{k, x) Si{k,x) x ■ ■ ■ x 5„(fc, x) 

the mapping induced by algorithm D (here TZ{k,x) denotes the space of ran- 
dom inputs to the probabilistic algorithm D). 

3. C (Share Combiner): Takes as input a security /public parameter pair (k,x) 
and any subset Sj = (si : i G I) of t out of the n shares, and returns a 
recovered secret s G S(k,x). (here I denotes a subset of [n] of size ffl = t). 




Lattice-Based Threshold-Changeability 177 



The correctness and security properties of a (t, n)-threshold secret-sharing 
scheme can be quantified by the following definitions, which are modifications 
of those in [17]. 

Definitions (Correctness, Security). A (t,n) threshold secret- sharing 
scheme TSS = (GC, D, C) is said to be: 

1. 5c-correct.' If the secret recovery fails for a ’bad’ set of public parameters of 
probability pf at most 6c- Precisely, pf is the probability (over x = GC{k) € 
X) that there exist (s,r) G S{k,x) x IZ{k,x) and I C [n] with ffl = t such 

that Ck,x{si) yf s, where s = Dfc_a,(s,r) and s/ {si : i G /}. 

We say that TSS is asymptotically correct if, for any 6 > 0, there exists 
ko € Af such that TSS is 6 -correct for all k > ko- 

2. (ts, ^s, £s) -secure with respect to the secret probability distribution Pk,x on 
S{k, x): If, with probability at least 1 — over the choice of public parameters 
X = GC(fc), the worst-case secret entropy loss for any ts observed shares is 
at most Cs, that is 

c\e>i 

\Lk,x{^i)\ = \H{s e S{k,x)) - H{s e S{k,x)\si)\ < €s, 

for all s G Si{k,x) x • • • x Sn{k,x) and I C [n] with ffl < tg. We say that 
TSS is asymptotically tg-secure with respect to Pk,x if, for any ^ > 0 and 
e > 0 there exists kg € Af such that TSS is {tg, 6, e • k) -secure with respect to 
Pk,x for all k> ko- 

The following definition of the Threshold Changeability without dealer assis- 
tance for a secret sharing scheme is a modification of the definition in [15]. 

Definition 4 (Threshold-Changeability). A (t,n) -threshold secret- sharing 
scheme TSS = (GC, D, C) is called threshold-changeable to t' with 6c-correctness 
and {tg, 6g, Cg)-security with respect to secret distribution Pk,x, if there exist n 
efficient subshare generation algorithms Hi : Si{x, k) %{x, k) for i = 1, . . . ,n, 
and an efficient subshare combiner algorithm C' such that the modified {t',n)- 
threshold scheme TSS' = (GC, D', C'), with modified shares 

D'fc,.(s,r) =^(Hi(si),...,H„(s„)) eTi(fc,x) x •••T„(fc,x), 

where (si, . . . , s„) = Dj, a,(s; r), is 6c-correct and {tg, 6g, Cg)-secure with respect to 
Pk,x - TSS is called asymptotically threshold-changeable to {tg,t') with respect to 
Pk,x if there exist algorithms Hi : Si{k,x) — > %{k,x) (i = 1,. . . ,n) and C' such 
that the {t' ,n) -threshold scheme TSS' defined above is asymptotically correct and 
asymptotically tg-secure with respect to Pk,x- 

The idea captured by the above definition is that the change of threshold 
from t to t' is implemented by getting each shareholder to replace his original 
share Si by the subshare Hi(sj) output by the subshare generation algorithm 
(the original share Si is then discarded). 
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4 Threshold-Changeability for Shamir Secret-Sharing 

4.1 The Standard Shamir Scheme 

The standard Shamir (t, n)-threshold secret sharing scheme is defined as follows. 

Scheme ShaTSS = (GC, D,C): Shamir (t, n)-Threshold Secret-Sharing 

1. GC(fc) (Public Parameter Generation): 

(a) Pick a (not necessarily random) prime p G [2^, 2^+^] with p > n. 

(b) Pick uniformly at random n distinct non-zero elements a = 
(«i, . . . , an) G £>((2p”). Return x = {p, a). 

2. Dfc_ 2 ,(s,a) (Dealer Setup): To share secret s € T.p using t — 1 uniformly 

random elements a = (oi, . . . , at-i) G build the polynomial as^a.{x) = 

s+aix+a 2 x‘^ + . . .+at-ix*'~"^ G t—1]. The ith share is Si = a{ai) mod p 
for z = 1, . . . , n. 

3. Ck,x{si) (Share Combiner): To combine shares s/ = (sj : z G I) for some / C 
[zz] with = t, compute by Lagrange interpolation the unique polynomial 

[x] t — 1] such that b{ai) = Si (mod p) for all i G I. The recovered 
secret is s = 5(0) mod p. 



4.2 Threshold- Changing Algorithms 

Our threshold-changing subshare generation and combiner algorithms to change 
the (t, zz)-threshold scheme ShaTSS = (GG, D, G) into a (P, rz)-threshold scheme 
ShaTSS' = (GG. D', G') are defined as follows. Note that the subshare combiner 
algorithm uses an efficient CVP approximation algorithm Aqvp with jj • jjoo- 
approximation factor jcvp- We define Fcvp = log(|"7cyp + 1]) (if we use the 
Babai poly-time CVP algorithm, we have Fcvp < 1 + 0.5(P -I- t -I- log(P -I- t))). 

Scheme ShaTSS': Changing Threshold to t' > t 

1. Hi(sj) (zth Subshare Generation): To transform share Si G of original 
(t, rz)-threshold scheme into subshare ti G of desired (t', n)-threshold 
scheme (t' > t) the zth shareholder does the following (for all z = 1, . . . , rz): 

(a) Determine noise bound H which guarantees 5c-correctness (typically, we 
set Sc = k~* ): 

i. Set H = max([p“/2j , 1) with 

ii. a = 1 — > 0 (noise bitlength fraction) and 

iii. 6f = (^log(5T^^‘ nt) + Fcvp + l) • 

(b) Compute U = Oi • Si + ri mod p for a uniformly random integer ri with 
\ri\ < H. 

2. C k,x{^i) (Subshare Combiner): To combine subshares t/ = (tj : z G I) for 
some / = |z[l], . . . , z[P]} with = t' (and guaranteed 5c-correctness) , do 
the following: 
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(a) Build the following {t' + t) x {t' + t) matrix Msha{oti, H,p), whose rows 
form a basis for a full-rank lattice £sha{c(i, H,p) in Q* 

0 \ 

0 



Msha{o-I,H,p) = 



/ p 


0 


... 0 


0 


0 ... 


0 


P 


... 0 


0 


0 ... 


0 


0 


. . . p 


0 


0 ... 


aqi] 

«qi] 


«i[2] 

«i[2] 


■ ■ • ^i[t 

■ ■ ■ 


0 ... 

] 0 H/p... 


\«qi] 


«![2] 


■ • • «![t 


1 0 


0 ... 


1 + ^F 

(t'/t) 


, 6f 


= ^ (log(<5c 


nt) 



(b) Define t' = . . . , 0, 0, . . . , 0) G +*. 

(c) Run CVP Approx. alg. Acvp on lattice £sha{cei, H,p) 
given by Msha{c(i,H,p) with target vector t'. Let c = 



{ci, ■ ■ ■ ,ct> ,Cf+i, ■ ■ ■ ,Cf+t) G 



\t'+t 



denote the output vector returned 



by AcvP) approximating the closest vector in £sha to t'. 

(d) Compute the recovered secret s' = (p/H) ■ Ct>+i mod p. 



Remark 1 . The reason for multiplying the shares Si by ai before adding the noise 
ri, is that otherwise, the secret may not be uniquely recoverable from the noisy 
subshares (indeed, a{ai) + Vi = a{ai) -I- 1 -I- (r^ — 1), and typically \ri — 1| < iL, 
so secrets s and s -I- 1 would be indistinguishable). 



Remark 2. It is not difficult to see that our method of adding a ‘small’ random 
noise integer with jr^l < H to the share multiple • Si modulo p, is essentially 
equivalent (in the sense of information on the secret) to passing the residues 
ai • Si mod p through a deterministic function which chops off the log(2iL) « 
(1 — l/{t' /t)) ■ k least-significant bits of the fc-bit residues ai ■ Si mod p, and this 
also yields shorter subshares than in our method above. However, since reducing 
the length of the original shares is not our main goal, we have chosen to present 
our scheme as above since it slightly simplifies our scheme and its analysis. 
Similar results can be obtained, however, for the ‘deterministic’ approach of 
chopping off least-significant bits. 



Remark 3. Some special variants of the Shamir scheme use special values for 
the points a*, such as ai = i for z = 1, . . . , n, to which the above method does 
not apply, because of its reliance on the random choice of the az’s. However, it 
turns out that our method can be modified to work even for these special Shamir 
variants. The idea is to make up for the loss of randomness in the a^’s by getting 
the shareholders to multiply their shares by additional random integers (say 
Bi G 2p) prior to adding the random noise r^. The Hz’s are then sent along to 
the combiner with the noisy subshares. We do not analyze this variant of our 
scheme in this paper. 
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4.3 Correctness 

The following theorem shows that the choice of the parameter Sp used in our 
threshold changing algorithm is sufficient to guarantee the ^c-correctness of our 
scheme for all sufficiently large security parameters. 

Theorem 4 (Correctness). The scheme ShaTSS' (with parameter choice be = 
) is asymptotically correct. Concretely, for any choice of parameter be (t) < 
be < 1), the (t',n) scheme ShaTSS' is be- correct for all security parameters k 
satisfying the inequality k > Cq, where 

^0 "" /t- l ) nf) + Tevp + 2 ) . 

Proof. Fix a subshare subset I C [n] with ffl = t' . We know by construction of 
lattice Csha{c(j), that the dealer’s secret polynomial as^a(a^) = s + aix + . . . + 
G ^p[x] t — 1] gives rise to the lattice vector 

n (Ojpj fts a(o^z[l] ) ■ 5 H, ■ ■ ■ j -^) 7 

ij ij ij>ij P P P 

which is “close” to the target vector 

t ) k\P -\- , . . . , O.s,a(o^z[i^] ) kt'P , 0, 0, . . . , 0) , 

where kj = j ^ ^ for all j = In particular we have, 

using |rj[j]| < H for all j = 1, . . . ,t', that |ja' — t'||oo < H. Consequently, since 
Aevp is a CVP approximation algorithm with ||.||oo approximation factor ^cvp: 
its output lattice vector c will also be “close” to the target vector, namely we 
have ||c — t'||oo < Jcvp ■ H. Applying the triangle inequality, we conclude that 
the lattice vector z = c — a' satisfies 

INIloo = ||c-a'||oo < (7CVP + (2) 

Now, either ^c[F + l] = ^a'[t' + l] = s (mod p) in which case the combiner 
succeeds to recover secret s, or otherwise we have the ‘bad’ case that 

^z[F + 1] = ^c[t' + 1] - ^a'[t' + 1] ^ 0 (modp). (3) 

Hence, for fixed I, the combiner succeeds except for a fraction bi of ‘bad’ 
choices of aj G D{C2.*Y ), for which Csha{c(i) contains a ‘short’ and ’bad’ 
vector z satisfying (2) and (3). To upper bound bj, consider the polynomial 
f(x) = ji'z[t' + V\x + • • • + jj'Z'lt' + t]x* . Note that, since z G Csha, we have 
f{ai[j]) = z[j] (mod p) and hence ||/(ai[j])||L,p < {jevp + 1)^^ for all j G [f] 
using (2). Also, f{x) mod p has zero constant coefficient and degree at least 1 
and at most t over using (3). Applying Lemma 1 (with parameters n = t' ,t = 
t,H = ff A < p*) we conclude that such a ‘bad’ polynomial / exists 

for at most a fraction bj < p*{2HtY /#D((2p* ) of a/ G ), for each 
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fixed I . Hence, the probability 6 that a uniformly chosen a G Z)((2p") is ‘bad’ 
for some I C [n] with = t' is upper bounded as 



0)A2Hty 

*mKy) ’ 



and a straightforward calculation (see full paper) shows that the right-hand side 
of (4) is upper bounded by be for all k > ^log((5r^^* nt) + revp + 2^ . 

This completes the proof. □ 



4.4 Security 

The concrete security of our scheme is given by the following result. It shows that, 
for fixed (t',n) and with parameter choice 6c = , the scheme ShaTSS' 

leaks at most fraction eg/k = Oilogk/k) = o(l) of the entropy of the secret to 
an attacker observing less than t' — {t' /t) subshares (for all except a fraction 
bs be = o(l) of public parameters, and assuming the security parameter k is 
sufficiently large). 

Theorem 5 (Security). The scheme ShaTSS' (with parameter choice be = 
k~* ) is asymptotically Int{t' — (t' /t))- secure with respect to the uniform secret 
distribution on Concretely, for any parameter choice be > 0, the (t',n) 
scheme ShaTSS' is {ts,6s,es)-secure with: 

t'-{t'/t) ^ 

I (TM (^log(^T^/‘ nt) + Tevp + l) 

log(2,5-i(")) 

bs — be, Cs — {P + 7) {ts + t) + ts log t -|- 1, [3 — — 7 , 

Zg Z i 

for all security parameters k > ko, where, letting m = tg + t + 1 and kg as defined 
in Theorem 4, 



ko = max 




(t'A+l)2 
t'/t - 1 



(/? -I- logt -I- 3), (/3 -I- 4)m^ -I- Stsmlogm 



Proof. (Sketch) Fix an observed subshare subset / C [n] with ffl = tg. Assuming 
the secret is uniformly distributed on it is easy to show (see full paper) that 
the conditional probability Pk,x{s\si) of the secret taking the value s € given 
that the observed sub-share vector takes the value s/ is given by: 



Pk,x{s\si) 



,t,p, H, S/) 

#Sop{ai,t,p,H,si) ’ 



( 5 ) 



where, for any integers s' > 0 and p> 1, we define the set 



S^;^o:i,t,p,H,si) = {a G 1] : \\aiy]a{ai[j]) - Si[j]\\L,p < H^j G [tg] 

and a(0) = s' (mod p)}. 
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We will derive a probabilistic lower bound on #5*0, i and upper bound on 
which both hold for all except a fraction 6j < ^s/(”) of ‘bad’ choices 
for ai G D{C2.*Y‘) assuming k > ko (with tg, Sg and fco defined in the theorem 
statement). We then apply these bounds to (5) to get a bound Pfc,x(s|s 7 ) < /p 
for all s (with eg defined in the theorem statement) so that for fixed I, entropy 
loss is bounded as except for fraction 6i of a/ G Zl((2*)*'>). It 

then follows that ifc,a;(s/) < eg for all I C [n] with = tg except for a fraction 
6 < {t)^i < of a G Z1((2P") assuming that k > ko, which proves the 
theorem. 



Reduction to Lattice Point Counting. It remains to derive the desired probabilis- 
tic upper and lower bounds on The following lemma shows that is 

equal to the number of points of a certain lattice C$ha (closely related to the lat- 
tice used in our subshare combiner algoritm) contained in a (tg + t)-dimensional 
box of side length 2H, centered on a certain non-lattice vector s/. 



Lemma 2. Fix positive integers (t,tg,p, H,p) such that p > 2H and p is a di- 
visor ofp. Let s G Zp ai = (aqi], . . •,«*[*.]) G 2” and s/ = (sqij, . . • ,Sj[i,]) G 
-Define Csha(cxi,t,p,H,p) as the full-rank lattice in with basis consist- 

ing of the rows of the matrix 





( P 


0 


... 0 0 


0 . 


. 0 \ 




0 


P 


... 0 0 


0 . 


. 0 




0 


0 


. . . p 0 


0 . 


. 0 


Msha(ai,t,p, H,p) = 


pctili] Po:i\2] 


...pant,] 2Hl(pfp) 


0 . 


. 0 








■■■ “fitd 0 


2H/p. 


. 0 




\ «![i] 


“i[2] 


■■■ “i[td ® 


0 . 


• 2H/p) 



and define the vector sj G Qt^+t 

S / 5 ■ ■ • ; , .^(1 ^ ) ; .^(1 ’ ' * ' ’ 




Then the sizes of the following two sets are equal: 



S^^-^ai,t,p,H,sj) = {a G ^p[x]t- 1] : \\ai[j]a(a,[j]) - Si[j]\\L,p < H\fj G [t«] 

and a(0) = s (mod p)}, 



and 

Hpf 

V-^ai,t,p,H,si) = & Csha(aifi,P,H,p) -.\\-v -siWoo < H}. 

Finding a Lower Bound on #Vb,i. Lower bounding the number #Vb,i 
of points of the lattice Csha in a symmetric box Tsj(H) {v G : 
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||v — s/||oo < H} centered on vector sj seems a difficult ‘non-homogenous’ prob- 
lem because Sj is in general not a lattice vector. But by ‘rounding’ S/ to a nearby 
lattice vector (with rounding error e = ||sj — s/||oo), we reduce the problem to 
two simpler problems: (1) The ‘homogenous’ problem of lower bounding the num- 
ber of lattice points in an origin- centered box Tq {v G : ||v||oo < H—e}, 

and (2) Upper bounding the largest Minkowski minimum Xt^-i-ti^Sha) of the lat- 
tice. This general reduction is stated precisely as follows. 

Lemma 3. For any full-rank lattice C in IR", vector s G IR", and H > 0, we 
have 

#{v G £ : ||v - s||oo < H}> #{v G £ : ||v||oo <H -e}, 
where e = f • A„(£). 

To solve the ‘homogenous’ counting problem (1) above we directly apply 
the Blichfeldt-Corput theorem (Theorem 2 in Sec. 2). To solve the problem (2) 
above of upper bounding \t^+t{h^Sha), we apply Minkowski’s “second theorem” 
(Theorem 3 in Sec. 2) to reduce this problem further to the problem of lower 
hounding the first Minkowski minimum Ai(£s^a)- Namely, since Xi(Csha) > 
Xi{£sha) for all i G [£], then Minkowski’s second theorem gives Xt^+t{k^Sha) < 

■ Finally, to lower bound Xi(Csha) (i-e. the infinity norm of the 
shortest non-zero vector in Csha), we use a probabilistic argument based on the 
algebraic counting lemma 1 (similar to the argument used in proving Theorem 4) , 
to obtain the following result. 

Lemma 4. Fix positive integers (£ H,p) and a positive real number j3, such 
that p > ma,y:{2H,2ts) is prime and p G {l,p}. For each aj G D((2p*^), let 
i^Sha{cii,p) denote the lattice in with basis matrix Msha{cii,p) defined 

in Lemma 2, and let denote the lattice in with basis matrix 

Mghaicti) obtained from Msha{oii,p) by removing the {ts-\-l)th row and column. 
In the case p = 1, if 

1 < det {Cshaiai, l))^^ < H 

then, for at least a fraction 1 — of aj G D{{'K*pY‘) we have 

X\{Csha{ai, 1)) > ts+t 1 det{Csha{oii, . 

In the case p = p, if 



1 < 



then, for at least a fraction 1 



t s log t -\ 1 

^TFi^ldet(£5^„(a/))^TH^ < H 
- 2-/5(L-et-i) ofaj G £>((2p‘») we have 



Ai(£s;ia(«/)) > Xi{Csha(.ai,p)) > 2 det(£ 5 ^„(a/))’ 
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Combining the above results (for (s,p) = (0, 1)) we obtain the desired lower 
bound on #Vo_i. 

Finding an Upper Bound on ^Vg^p- We first reduce the point counting prob- 
lem in Csha{oii,p) to a point counting problem in the lower-dimensional lat- 
tice defined in Lemma 4. This is possible because all the vectors of 

U-ShaicdjP) in the desired box have their (tg + l)th coordinate equal to 0. 

Lemma 5. Let £sha{ai,p) C and C-'shai^i) — Q*'*'*’*”^ he the lattices 

defined in Lemma 4, letsj be the vector in defined in Lemma 2, and lets'j 

be the vector in obtained fromsj by removing the {tg + l)th coordinate. 

Then where Vg^p {v G £sha{o:i,p) : ||v - s/||oo < H} and 

K,p = {ve£'s,M--h-^'iU<H}. 

By comparing the total volume of the #14, p disjoint boxes of sidelength Ai {£'sha) 
centered on the lattice points in T^, (H) {v G Q*'*'*'*”^ : ||v — s'/Hoo < H}, to 

the volume of T^, {H) {v G : ||v — s^^||oo < H + Ai(£g^^)/2} which 

contains those disjoint boxes, we reduce the problem of upper bounding #14, p 
to the problem of lower bounding the ^i{£sha)- This general reduction can be 
stated as follows. 

Lemma 6. For any lattice £ in IR", vector s G M", and H > 0, we have 

#{v G £ : ||v-s||oo < i?} < + l • 

Now we apply the probabilistic lower bound on 4^i{£sha) from Lemma 4 in 
Lemma 6 (with (s,p) = (s,p)) to get the desired upper bound on #14, p- 

After some straightforward calculation (see full paper), we find that the prob- 
abilistic lower and upper bounds on #W^ obtained above hold for all except a 
fraction < ^s/(") of ‘bad’ choices for aj G D{C2.*Y‘) assuming k > ko (with 
tg, 6g and ko defined in the theorem statement), and plugging the bounds in 
(5) gives the desired bound Pk,x{s\^i) < /p for all s (with Cg defined in the 
theorem statement). This completes the proof sketch. □ 

An immediate consequence of the above results is the following. 

Corollary 1. For any {t,n) and t' > t, the standard Shamir {t,n) -threshold 
secret-sharing scheme ShaTSS is asymptotically threshold-changeable to 
{Lnt{t' — t'/t),t') with respect to the uniform secret distribution. 

5 Conclusions 

We presented a new cryptographic application of lattice reduction techniques to 
achieve threshold-changeability for the standard Shamir (t, n)-threshold scheme. 
We proved concrete bounds on the correctness and security of our method, mak- 
ing use of fundamental results from lattice theory in our analysis. 
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Abstract. We study the class of masking based domain extenders for 
UOWHFs. Our first contribution is to show that any correct mask- 
ing based domain extender for UOWHF which invokes the compression 
UOWHF s times must use at least [logj s] masks. As a consequence, we 
obtain the key expansion optimality of several known algorithms among 
the class of all masking based domain extending algorithms. Our second 
contribution is to present a new parallel domain extender for UOWHF. 
The new algorithm achieves asymptotically optimal speed-up over the 
sequential algorithm and the key expansion is almost everywhere opti- 
mal, i.e., it is optimal for almost all possible number of invocations of 
the compression UOWHF. Our algorithm compares favourably with all 
previously known masking based domain extending algorithms. 

Keywords: UOWHF, domain extender, parallel algorithm. 



1 Introduction 

A universal one-way hash function (UOWHF) is a function family {hk}kG!C with 
hk '■ {0, 1}" ^ {0, 1}™, for which the following task of the adversary is compu- 
tationally infeasible: the adversary chooses an n-bit string x, is then given a k 
chosen uniformly at random from /C and has to find a x' such that x ^ x' and 
hk{x) = hk(x'). The notion of UOWHF was introduced in [9]. 

Intuitively, a UOWHF is a weaker primitive than a collision resistant hash 
function (CRHF), since the adversary has to commit to the string x before 
knowing the actual hash function hk for which a collision has to be found. In 
fact, Simon [15] has shown that there is an oracle relative to which UOWHFs 
exist but CRHFs do not exist. Further, as pointed out in [1], the birthday paradox 
does not apply to the UOWHF and hence the message digest can be smaller. 
Thus a construction for UOWHF may be faster than a construction for CRHF. 

There is a second and perhaps a more important reason to prefer UOWHF 
over CRHF. A protocol built using a UOWHF maybe “more” secure than a 
protocol built using CRHF. The intuitive reason being that even if it is possible 
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to find a collision for a hash function, it might still be difficult to find a collision 
for it when considered as a UOWHF. This situation is nicely summed up in [1]: 
“Ask less of a hash function and it is less likely to disappoint!” 

The important paper by Bellare and Rogaway [1] provides the foundation for 
the recent studies on UOWHFs. They introduce the notion of domain extender 
for UOWHF; show that the classical Merkle-Damgard algorithm does not work 
for UOWHFs; provide several new constructions for UOWHF domain extenders 
and finally provide a secure digital signature scheme based on UOWHF in the 
hash-then-sign paradigm. 

The study in [1] shows that extending the domain usually requires an asso- 
ciated increase in key length. One of the major new ideas behind their domain 
extending algorithm is “masking” the outputs of intermediate invocations by 
random strings. This idea of masking based algorithms have been later pur- 
sued by several authors [14,3,13,12,8,7]. We would like to point out that [1] 
also presents other (i.e., non-masking type) techniques for domain extension. 
However, the key expansion for these techniques is more than the masking type 
techniques. Consequently, subsequent work, including the current one, have con- 
centrated only on masking type domain extenders. 

Our Contributions: The contribution of this paper is twofold. 

We start by formalizing the class ^ of all masking based domain extend- 
ing algorithms. This class includes all known efficient domain extending algo- 
rithms [14, 3, 13, 12, 8, 7]. Any masking based algorithm in proceeds by XOR- 
ing the output of any intermediate invocation of the compression UOWHF by a 
fixed length bit string called a mask. 

Suppose {hk}keKj : {0, 1}” ^ {0, 1}™ is a compression UOWHF whose 
domain is to be extended. Further, suppose that an algorithm in A. makes s 
invocations of hk (for some k € K.) and uses a total of p masks. In Proposition 1, 
we show that the length of any string in the extended domain is n-|-(s— l)(n— m). 
The resulting amount of key expansion is pm and hence the key expansion is 
totally determined by the number of masks. 

Our main result on class A is to obtain a necessary condition for any algo- 
rithm in ^ to be a correct domain extending algorithm. Using this necessary 
condition, we obtain a non-trivial lower bound on the number of masks used 
by any correct algorithm in A. More precisely, in Theorem 1, we show that 
P > [log 2 s] . Based on this lower bound, we define the masking efficiency, ME 
of an algorithm which uses p masks and makes s invocations of the compression 
UOWHF to be ME = p — [log 2 s] . In the case ME = 0, we say that the algorithm 
achieves optimal masking. Our lower bound immediately shows the masking op- 
timality of the sequential algorithm of Shoup [14] and the parallel algorithms 
of [3,7]. 

The basic unit of operation of a domain extending algorithm is one invocation 
of the compression UOWHF. The number of operations made by any sequential 
algorithm is equal to the number of invocations of the compression UOWHF. On 
the other hand, in a parallel algorithm, several invocations of the compression 
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UOWHF is done in parallel and thus the number of parallel rounds will be 
lower. Suppose an algorithm makes s invocations of the compression UOWHF 
and uses Np processors to complete the computation in rounds. Since there 
are s invocations and Np processors, at least [s/lVp] parallel rounds will be 
required and hence Nr > \s/Np~\. We define the parellelism efficiency, PE to be 
equal to s/Nr- In general, PE < Np and in the case PE = Np we say that the 
algorithm achieves optimal parallelism. 

Our second contribution is to obtain a parallel domain extending algorithm. 
The basic idea of the algorithm is to divide the input message into several parts, 
hash each part separately and then combine the different parts using a binary 
tree. This idea has already been suggested for collision resistant hash functions 
by Damgard in [2]. Our contribution is to add a suitable masking strategy. The 
result is a simple and efficient parallel domain extending algorithm for UOWHF. 
The masking efficiency ME is almost always zero and in very few cases it is one. 
Hence we say that the masking efficiency of our algorithm is almost always 
optimal. Further, the parallelism efficiency PE is asymptotically optimal. Thus 
our algorithm provides a satisfactory parallel domain extender for UOWHF and 
to a certain extent completes the line of research on obtaining efficient domain 
extenders for UOWHFs which was started in [1]. 

Related Work: We have already mentioned that UOWHF was introduced by 
Naor and Yung [9] and the important work done by Bellare and Rogaway [1]. 
There are several direct constructions of UOWHFs based on general assump- 
tions [10,4]. However, as noted in [1] these are not very efficient. Subsequent 
to the work in [1], Shoup [14] described a nice domain extending algorithm 
which is a modification of the Merkle-Damgard construction. Shoup’s algorithm 
is a sequential algorithm and Mironov [6] proved that the algorithm achieves 
minimal key length expansion among all sequential masking based domain ex- 
tending algorithms. (As opposed to this, our lower bound shows that Shoup’s 
algorithm is optimal among all masking based domain extending algorithms.) 
Later work [13,8,3,12,7] have provided different parallel constructions of do- 
main extending algorithms with varying trade-off between degree of parallelism 
and key length expansion. These are summarized in Tables 1 and 2. 

We note that none of the previous constructions simultaneously achieve op- 
timal parallelism and optimal key expansion. (In [7], it is claimed that their 
algorithm achieves optimal parallelism. This claim is not correct: In [7], s = 2^ 
and the number of parallel rounds is Nr = T + 1. This requires Np = 2^“^ and 
hence PE « Np / \og 2 Np] as explained above, for optimal parallelism we should 
have PE = Np.) 

Note that the algorithms in [1,13,8,7,3] can also be executed with a fixed 
number of processors by a level-by-level simulation of the large binary tree. 
However, this simulation will require storing the results of all the invocations 
at one level and hence will push up the memory requirement. In contrast, for 
our algorithm, the required number of buffers is exactly equal to the number of 
processors. 
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Table 1. Comparison of masking efficiency. Here s is the number of invocations of the 
compression UOWHF 



construction 


[1] 


[13] 


[8] 


[12] 1[14,3,7]] ours 


ME 


« l0g2 S 


« log2 log2 S 


0(log* s) 


const 0 


0 or A 



the value is almost always 0. 



Table 2. Comparison of parallelism efficiency. Here Np is the number of processors 



construction|[l, 13,8,7]| [3] |[12], ours 



PE 


~ logiVp 


~ Nf 1 const. 


« Np 



In [7], a sufficient condition for the correctness of any algorithm in A. is 
presented. Essentially, this condition states that, if, for any subtree, there is at 
least one mask which occurs exactly once in that subtree, then the construction 
is correct. In contrast, our necessary condition states that for any correct con- 
struction, for any subtree, there must be at least one mask which occurs an odd 
number of times. Though these two combinatorial conditions are close, they are 
not the same and they have not yet been proved to be equivalent. In fact, it is 
also possible that they cannot be proved to be equivalent. 

Our necessary condition yields a tight lower bound on the number of masks, 
whereas the sufficient condition in [7] is used to verify the correctness of some 
previous constructions. However, it is not easy to apply the sufficient condition 
of [7] to prove the correctness of the construction in [12] and the construction 
presented here. On the other hand, for small examples, it is possible to verify 
that both the construction in [12] and the one presented here satisfy the sufficient 
condition of [7]. Thus our necessary condition and the sufficient condition of [7] 
are actually different and are of separate interest. It could be an interesting 
research problem to obtain a single necessary and sufficient condition for correct 
domain extension for any algorithm in A. 

The rest of the paper is organized as follows. In Section 2, we describe the 
necessary preliminaries. In Section 3, we describe the formal model for masking 
based domain extenders and study its properties. In this section, we also obtain 
the necessary condition and the lower bound on the number of masks. The new 
construction of a parallel domain extending algorithm is described in Section 4. 
Finally, Section 5 concludes the paper. Due to lack of space, most of the proofs 
are omitted. These can be found in the full version of the paper and in the 
technical report [11]. 

2 Preliminaries 

All logarithms in this paper are to the base 2. The notation x &r A denotes 
the (uniformly at) random choice of the element x from the set A. Also A 
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denotes the empty string. By an (n, m) function / we will mean a function 
/ : {0, 1}" ^ {0, 1}™. A formal definition for UOWHF is given in [9]. In this pa- 
per we will be interested in “securely” extending the domain of a given UOWHF. 
Our proof technique will essentially be a reduction. We formalize this as a re- 
duction between two suitably defined problems. 

Let F = {/ifcjfcgK: be a keyed family of hash functions, where each hk is an 
{n,m) function, with n > m. Consider the following adversarial game fJ(F) for 
the family F. 

1. Adversary chooses an x € {0, 1}”. 

2. Adversary is given a k which is chosen uniformly at random from /C. 

3. Adversary has to find x' such that x ^ x' and hk{x) = hk{x'). 

The problem 5(F)- UOWHF for the family F is to win the game 5(F). 

A strategy A for the adversary runs in two stages. In the first stage 
the adversary finds the x to which he has to commit in Step I. It also produces 
some auxiliary state information state. In the second stage k, state), the 

adversary either finds a x' which provides a collision for hk or it reports fail- 
ure. Both and fc, state) are probabilistic algorithms. The success 

probability of the strategy is measured over the random choices made by 
and A^^'^{x, k, state) and the random choice of k in Step 2 of the game. We say 
that A is an (e, (?)-strategy for 5(F)-UOWHF if the success probability of A is 
at least e and it invokes some hash function from the family F at most q times. 
Informally, we say that F is a UOWHF if there is no “good” winning strategy 
for the game 5(F). 

In this paper, we are interested in extending the domain of a UOWHF. Let 
F = {hk}k^iCj where each hk is an {n,m) function. For f > I, let rij = n -F (i — 
l)(n — m). Define Fq = F and for z > 0, define F^ = {Hp.}p.^-p., where each 
Hp^ is an function. The family F^ is built from the family F. In fact, as 

shown in Proposition I, a function in F^ is built using exactly i invocations of 
some function in F. 

We consider the problem 5(Fj)-UOWHF. We say that the adversary has an 
(e, < 7 )-strategy for 5(Fi)-UOWHF if there is a strategy B for the adversary with 
probability of success at least e and which invokes some hash function from 
the family F at most q times. Note that F^ is built using F and hence while 
studying strategies for 5(F^) we are interested in the number of invocations of 
hash functions from the family F. 

The correctness of our construction will essentially be a Turing reduction. We 
will show that if there is an (e, g)-strategy for 5(Fj), then there is an (ei,gi)- 
strategy for Fj, where ei is not “significantly” less than e and qi is not “signif- 
icantly” more than q. In fact, we will have e\ = e/i and qi = q + 2i. Since Fj 
invokes a hash function from F a total of i times, we “tolerate” a reduction in 
success probability by a factor of 1/z. (This is also true for other constructions 
such as in [1].) The intuitive interpretation of the reduction is that if F is a 
UOWHF then so is Fj for each z > 1. 

The key length for the base hash family F is [log |/C|] . On the other hand, 
the key length for the family Fj is [log|Pj|]. Thus increasing the size of the 
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input from n bits to rii bits results in an increase of the key size by an amount 
riog|7^,ii-riog|/cii. 

3 Lower Bound on Key Expansion 

In this section, we consider the problem of minimising the key expansion while 
securely extending the domain of a UOWHF. More precisely, we are interested in 
obtaining a lower bound on key length expansion. Obtaining a complete answer 
to this problem is in general difficult. Thus we adopt a simpler approach to 
the problem. We fix a class of possible domain extending algorithms and obtain 
a lower bound on key expansion for any algorithm in this class. (Note that 
in computer science, this is the usual approach for proving lower bounds on 
algorithmic problems. For example, the lower bound of 0(n log n) for sorting n 
elements is obtained for the class of all comparison based algorithms.) 

The usefulness of our lower bound depends on the class of algorithms that 
we consider. The class that we consider consists of all masking based domain 
extending algorithms. (We make this more precise later.) All previously known 
masking based algorithms [1, 14, 13, 12,8,3,7] belong to this class. We consider 
this to be ample evidence for the usefulness of our lower bound. However, we 
would like to point out that our lower bound does not hold for any domain ex- 
tending algorithm. Thus it might be possible to achieve lower key expansions. 
However, any such algorithm must adopt an approach which is different from 
masking based algorithms. One possible approach could be to develop the tech- 
nique of using separate keys for the compression functions (see [1]). 

Let F = {hk\k^Ki where each is an {n,m) function. We are interested in 
the class A. of masking based domain extension algorithms. We do not want the 
algorithm to be dependent on the structure of the UOWHF; in fact it should 
work for all UOWHF’s which can “fit” into the structure of the algorithm. Any 
algorithm A € A behaves in the following manner. 

1. It invokes some function hk € F a finite number of times. 

2. The outputs of all but one invocation of hk() is masked by XORing with 
an TO-bit string selected from the set {/Xg, . . . , Mp-i}- 

3. The invocations of hk() whose outputs are masked are called intermediate 
invocations and the invocation whose output is not masked is called the 
final invocation. 

4. The entire output of any intermediate invocation is fed into the input of 
exactly one separate invocation of /ifc(). 

5. Each bit of the message x is fed into exactly one invocation of hk{). 

6. The output of the final invocation is the output of A. 

We emphasize that all previously known masking based algorithms [1, 14, 13, 
12, 8, 3, 7] belong to A. In the following we make a general study of any algorithm 
in A, with particular emphasis on obtaining a lower bound on key expansion 
made by any algorithm in A. 




Masking Based Domain Extenders for UOWHFs: Bounds and Constructions 



193 



Proposition 1. Let A € ^ be such that A invokes hk{) a total of s times. 
Then the length of the message which is hashed is equal to n + {s — l)(ji — m). 

Thus the number of invocations of hk{) and the parameters n and m deter- 
mine the length of the message to be hashed irrespective of the actual structure 
of the algorithm. Hence any algorithm A € ^ which invokes hk() a total of s 
times defines a family where V = {0, and each 

is an (n -I- (n — m)(s — l),m) function. The structure of any algorithm 
A G which makes s invocations of hk{) is described by a labelled directed 
graph Df = {Vs, Es, if s), where 

1. Vs = {ui, . . . , Us}, i.e., there is a node for each invocation of hk{). 

2. {vi, Vj) S Es if and only if the output of the ith invocation is fed into the 
input of the jth invocation. 

3. ifs is a map if : Es ^ {no, ■ ■ ■ where if{vi.^,Vi.^) = jj.j if the output 

of the zi-th invocation of /ife() is masked using /ij. 

The nodes corresponding to the intermediate invocations are called interme- 
diate nodes and the node corresponding to the final node is called the final node. 
Without loss of generality we assume the final node to be Vs- Nodes with inde- 
gree zero are called leaf nodes and the others are called internal nodes. Define 
6{Df) = max{indeg(u) : v G 14}- We call S{D^) to be the fan-in of algorithm A 
for s invocations. 

Proposition 2. The outdegree of any intermediate node in Df is 1 and the 
outdegree of the final node is 0. Hence there are exactly (s — 1) arcs in Df. 
Consequently, Df is a rooted directed tree where the final node is the root of Df . 

Proposition 3. If S = 6{Df), then n > 6m. 

Thus an algorithm A with fan-in 6 cannot be used with all UOWHFs. The 
value of fan-in places a restriction on the values of n and m. However, given 
this restriction the actual structure of Df does not depend on the particular 
family F. 

Let T be a non-trivial subtree of D^. Denote by vec,/,(T) the p-tuple 

(numpo(T) mod 2,..., nump^_^{T) mod 2), 

where nurrip^(T) is the number of times the mask Hi occurs in the tree T. We say 
that Df is null-free if vecif{T) yf (0, . . . , 0) for each non-trivial subtree of D^. 

We now turn to the task of obtaining a lower bound on key expansion made 
by any algorithm A in A.. This consists of two tasks. Firstly, we show that for any 
“correct UOWHF preserving domain extender” A which invokes some function 
from the compression UOWHF exactly s times, the DAG Df must be null-free. 
This translates the problem into a combinatorial one. Our second task is to use 
use this combinatorial property to obtain the required lower bound. 

The intuitive idea behind the first part is as follows. Given and a family F' 
with suitable parameters, we construct a family F such that if F' is a UOWHF, 
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then so is F. Then we extend the domain of F using Df to obtain the family 
and show that if is not null-free then it is possible to exhibit a collision 
for every function in Now we argue as follows. If F' is a UOWHF and 

A is correct for s invocations, then must also be a UOWHF and hence 

must be null- free. This intuitive argument is now formalized in terms of 
reductions. 

Let A £ A. and Df be the DAG corresponding to s invocations of the 
compression family by A. We set 6 = 6 {D^). Let F' = where each h' 

is an (n, m') function with 1 C = {0, 1}*^, m = m' + K and n = 6 m -|- ^ -|- 1. For 
2 G {0, 1}” write 

2 = Zis\\z1,2\\z2,i\\Z2,2\ \ ■ ' ■ I I ki.2 1 1 • ■ • I I 1 12/| I & 

where \zi^i\ = m, \zi^2\ = AT for 1 < i < ^, |i/| = ^ and b G {0,1}. We write 
y = y{z) and b = b(z) to show the dependence of y and b on z. Given z G (0, 1}", 
define KLst = |zi^ 25 -^ 2,27 ^ 3 . 2 , • ■ • , •z< 5 , 2 }- Given z G {0,1}" and k £ JC, define a 
Boolean function (j){z,k) to be true (T) if and only if fc = for some 

0 yf S' C KLst(z). We define the family of functions F = {hk}kGJC, where each 
hk is an (n, m) function in the following manner. 

/ife(z) = /i}(z)||fc if 5 = 1 and ^(z, fc) = F; 

= ^{.(zjjjo*' if 5 = 0, y = 0“^ and </>(z, fc) = F; 

= fc}(z)jjSy if 5 = 0, 2 / yf 0“^ and </>(z, fc) = F; 

= 1’" ())(z,fc) = T. 

Here y = y{z) and Sy = ©yj=iZi, 2 , i-e., the XOR’s of the Zi^ 2 ’s for which the 
ith bit of 2 / is 1. 

Proposition 4 . Suppose there is an (e,q)- strategy for 1 J(F). Then there is an 
(e- q) -strategy for g(F'). 

Intuitively, this means that if F' is a UOWHF, then so is F. In the next result 
we show that if Df is not null- free, then it is possible to exhibit a collision for 
each function in 

Lemma 1 . Let A G ^ and F be defined as in ( 1 ). For s > 0 , let F^^’®) 

be the family obtained by extending the domain of F using Df. If Df is not 

null-free, then it is possible to define two strings x, x' such that x ^ x' and 
for any 

We now translate Lemma 1 into a lower bound on the number of masks. 

Definition 1 . Let Ti = (Ui,ifi) and T2 = (V27A2) he two subtrees of Df. We 
denote by T1AT2 the subtree of Df induced by the set of arcs E1AE2, where 
E1AE2 is the symmetric difference between E\ and U 2 . 

Definition 2 . Let T he a family of non-trivial subsets of Df such that for any 
Ti,T 2 £ T, the tree T1AT2 is also a non-trivial subtree of Df . We call T a 
connected family of Df . 
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Lemma 2. Let Df he null-free and let T he a connected family of D^. Then 

1. For any T G tF , vec^{T) ^ {0, . . . ,0) . 

2. For any Ti,T 2 G T , vec^(Ti) ^ vec^(T 2 ). 

Consequently, 2^ — 1 > \T\ or equivalently p > |"log 2 (|iF| + 1)], where p is the 
number of masks used by A for s invocations. 

Lemma 2 provides a lower bound on the number of masks in terms of sizes 
of connected families. Thus the task is to find a connected family of maximum 
size in . We show the existence of a connected family of size (s — 1) in 
For each intermediate node v G Df, let Py be the path from v to the final node 
of . Define IF = {P„ : u is an intermediate node in Df}. It is easy to check 
that IF is a connected family of size (s — 1). Hence we have the following result. 

Theorem 1. Let s > 0 and A G A. be correct for s invocations. Then the 
number of masks required by A is at least |"log 2 s] . 

The bound in Theorem 1 is tight since Shoup’s algorithm [14] meets this 
bound with equality. This also shows that Shoup’s algorithm is optimal for the 
class A. . Also we would like to point out that the lower bound of Theorem 1 
can be improved for particular algorithms. 

Lemma 3. Suppose Df is the full binary tree on s = 2* — 1 nodes. If t = 2, 
there is a connected family of size 3 in Df and for t > 3, there is a connected 
family of size 5 x 2*“^ — 2 in Df. Consequently, p > 2 for t = 2 and p > t + 1 
for t>3. 

4 New Construction 

For f > 0, let % be the binary tree defined as % = {Vt = {Pq, ■ ■ ■ ,F 2 *- 2 }, A*), 
where At = {{P 2 j+i, Pj), {P 2 j+ 2 ,Pj) : 0 < j < 2*“^ —2}. The underlying digraph 
for our algorithm is a binary tree with sequential paths terminating at the leaf 
nodes of the tree. We define a digraph Qt^i which consists of the full binary tree 
Tt alongwith a total of i nodes on the sequential paths. The precise definition of 
Qt,i — j) is 

Vt,i =Vt\J{Qa,...,Q^-i} \ 

At,i = At U {(Q„ P2‘-Wj-i) : 0 < j < 2*-i - 1} \ (2) 

U{(Qj,Q,_2t-i) :2*-i <j J 

The total number of nodes in Qt,i is equal to 2* — 1 + f, where 2* — 1 nodes 
are in the binary tree part and i nodes are in the sequential part. We define 
parameters and Sty (or simply r and s) in the following manner: If i = 0, 
then r = s = 0; if i > 0, then r and s are defined by the equation: 

i = r2*~^ + s (3) 

where s is a unique integer from the set {1, . . . ,2*“^}. For i > 0, we can write 
i = (r + I) X s + (2*“^ — s)r. Thus in Qt,i there are s sequential paths of length 
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(r + 1) each and these terminate on the left most s leaf nodes of There are 
also — s) sequential paths of length r each and these terminate on the other 
— s) leaf nodes of %. Figure 1 shows ^4,19. 

We define pt^i or (simply p) to be the maximum length (counting only Q 
nodes) of a path from a Q-node to a P-node. Hence p = 0 if z = 0 and p = r + 1 
if z > 0. 

When z = 0, Qt,i is simply the full binary tree 7) and when t = 1, Qt,i is a 
dipath of length r + 1 . These are the two extreme cases - one leading to a full 
binary tree and the other leading to a single dipath. In practical applications, 
t will be fixed and there will be “long” dipaths terminating on the leaf nodes 
of 7). For implementation purpose, the number of processors required is 2*“^. 
Hence for practical applications, the value of t < 5. 

Remark: The idea of breaking a message into parts, hashing them indepen- 
dently and finally combining the outputs is present in Damgard [2] in the context 
of collision resistant hash functions. The current construction can be seen as a 
development of the “UOWHF version” of this idea. 

4.1 Notation 

We define a few notation for future reference. 

1 . t is the number of levels in the binary tree 7) . 

2. z is the total number of nodes in the sequential part of the algorithm. 

3. r and s are as defined in (3). 

4. p = 0 if z = 0 and p = r-|-lifz>0. 

5. iV = 2* — 1 -I- z is the total number of nodes in Qt^i- 

6. For U G Vty, define nodenum([/) = j \iU = Pj and 
nodenum([/) = j -|- 2* — 1 if U = Qj. 

7. For U G Vty, we say that C/ is a P-node (resp. Q-node) if P = Pj 
(resp. U = Qj) for some j. 

For U G Vty, we define indeg(P) (resp. outdeg(P)) to be the indegree (resp. 
outdegree) of U. Note that other than Pq each node U has outdeg(P) = 1. Thus 
for each node P yf Pq there is a unique out neighbour. 

The concept of level is defined in the following manner. There are L = p + 1 
levels in Qt i and the level number of each node is defined as follows. 

level(P,-) = P - 1 - ji if 2h - 1 < j < 2 P +1 - 2 and 0 < ji < f - 1; ] 

level(Qy) = p - jd - 1 if ji2*-i <j< {ji + - 1 and 0 < ji < r - 1; M) 

level((5j) = 0 if r2*“^ < J < r2*“^ -I- s. j 

Note that if p = 0, there are no Q-nodes and hence the level numbers of 
Q-nodes are not defined. The root node of 7) has the highest level. Nodes with 
indegree zero can be at levels zero and one. Let P G Hty and j = nodenum(P): 
If 0 < J < 2*“^ — 2 then we define lchild(P) = P 2 j+i and rchild(P) = P 2 j+ 2 ', if 
2*“^ — I < j < N — 1, then we define predecessor of P in the following manner: 

pred(P) = if 2*“^ — 1 < J < 2*“^ -I- z — 2; 1 

= NULL if 2*-i-ki- 1 < j < N- 1; J 



( 5 ) 
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For a node U, pred(tf) = NULL implies that the indegree of U is zero. 

4.2 Mask Assignment Algorithm 

There are two disjoint sets of masks {ao, . . . ,ai-i} and {/3q, ■ • • , /?i- 2 } where 
I = [log(p + t)] . The mask assignment 

V' • ^t,i {(to, ■ • • , Cti-l} U |/3o, ■ • ■ , /di- 2 }- 

is a function from the set of arcs of Qt^i to the set of masks. The definition of ip 
is as follows: Let {U, V) G At^i with level(U) = j — 1 and level(17) = j for some 
jG{1,...,L-1}. 

• If (([/ is a Q-node) or (U is a P-node and U = lchild(y))), 
then ip{U, V) = 

• If {U is a P-node and U = rchild(y)) then ip{U,V) = /3j_(p+i). 

Here u{j) is defined to be the non negative integer j\ such that 2^^ \j and 
/\j. Also for the convenience of notation we write ip{U,V) instead of 
ip{{U,V)). The mask assignment for ^4,19 is shown in Figure 1. 



4.3 Optimality of Mask Assignment 

The total number of masks used is equal to t — 1 + [log(p + f)] . The total 
number of nodes in Qt^i is equal to A = 2* — 1 + z. Using Theorem 1, at least 
Ct,i = ri^og(2* — 1 + i)] masks are required by any algorithm in class A.. Our 
algorithm requires TZt,i = t — 1 + [log(p + t)] masks. Define T>t^i = Pty — £t,i- 
We study 



Proposition 5. 

T>t^i = 0 if i = 0 and t = 1; 'j 

= [logt] — 1 ifi = 0 and t > 1; > (6) 

= riog(r + l + t)l - [log(r + 2+|pb)] */i>o. J 

Furthermore, T>t^i = 0 if and only if either t = 1; or {t = 2 and i = 0); or 

2^ — 1— [(s — l)/2*“^] <r< 2^+^ — t — 1 for some j > 0. 



For t = 1, the mask assignment algorithm reduces to the mask assignment 
algorithm of Shoup [14] and for z = 0, the mask assignment algorithm reduces 
to the mask assignment algorithm of Sarkar [13]. Hence we concentrate on the 
case t > 1 and z > 0. For practical parallel implementation, the value of t will 
determine the number of processors and will be fixed whereas the value of z can 
grow in an unbounded manner. 

Suppose 2~^~^ < t — 1 < 2'^. For j > 0, define two intervals of integers in the 
following manner: 



={2-+z_l_ [|^] ,2-+^'- [|pb] ,...,2-+Ai_i_i}0 

Jj = {2^+J+i _ t, 2^+J+i -t + l,..., 2^+J+i - 2 - [ |iF{-] }. j 



( 7 ) 



Clearly, |/j| = 2'^+-’ — _ Xj/2* ^] , | = t — 1 — ]"(s — l)/2* ^] and 

[/,[ + \J,\ = 2-+L 
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level 6 



level 5 

level 4 

level 3 
level 2 
level 1 
level 0 




Fig. 1. Example of mask assignment for f = 4 and i = 19 



Theorem 2. Suppose i > 0, 2"^ ^ < f — 1 < 2"^ and for j > 0, Ij and Jj are as 
defined in 7. Then T>t^i = 0 if r € Ij; and T>t^i = 1 if r G Jj. 

From Theorem 2, it follows that for j > r, in any interval 2-1 + 1 < r < 2-1+^, 
there are exactly t—1— [(s— l)/2*“^] points where the algorithm is suboptimal 
with respect to the lower bound. Moreover, at these points it requires exactly 
one extra mask over the lower bound. In any practical parallel implementation, 
the value of t will be fixed, whereas the value of r will grow. In such a situation, 
the ratio — 1 — |"(s — I)/2*“^]) approaches zero very fast and hence we can 
say that for t > 2, the algorithm achieves optimal key length expansion almost 
everywhere. (Note that for f = 1, the algorithm reduces to Shoup’s algorithm 
and hence achieves optimal key length expansion.) 

4.4 Computation of Message Digest 

Let {hk}k£K, where each hk is an {n,m) function, be the compression UOWHF 
whose domain is to be extended. For t > 1, we require n > 2m. The nodes 
of Gt,i represent the invocations of hk. Thus hk is invoked a total of N times. 
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The output of Pq is provided as output digest, whereas the outputs of all the 
other nodes are used as inputs to other invocations as defined by the arcs of 
Qt^i- Using Proposition 1 of [12] we obtain the following: Suppose a message x is 
hashed using Qt,i and the compression UOWHF {hk\k£ic, where each hk is an 
{n,m) function. Then |a;| = N {n — m) + m. 

Thus {hk\k^K is extended to where each is an {N{n — m) + 

m, m) function and 

P= fc||ao||...||«i-i||/3oll---ll/3t-2- 

The message x of length N{n — m) + m has to be formatted into small 
substrings and provided as input to the different invocations of hk- Write x = 
a;o|| ■ • ■ ||xAr_i, where the lengths of the xj's are as follows. 

\xj \ = n — 2m if 0 < j < 2*“^ — 2; 'j 

= n-m if 2*-i - 1 < j < 2*-i + i- 2; \ (8) 

= n if 2*-i + t - 1 < j < 2* + t - 2. J 

The substring Xj is provided as input to node U with nodenum([/) = j and 
the m-bit output of U is denoted by Zj. The outputs zi, . . . , zn-i are masked 
using the a and /? masks to obtain m-bit strings j/i, . . . ,yN-i in the following 
manner. 

Vj = Zj 0 ipiU, V) if nodenum([/) = j. (9) 

The inputs to the invocations of hk are formed from the a;’s and the j/’s in 
the following manner. There are N invocations whose inputs are denoted by 
wq, , wn-1 and are defined as follows. 

Wj = Xj\\y2j+i\\y2j+2 if 1 < J < 2*"^ - 2; '| 

= Xj\ \yjj_ 2 t-i if r > 0 and 2*“^ — 1 < J < 2*“^ + i — 2; > (10) 

= Xj if 2*-i 0t- 1 < j < 2* 0t-2. J 

Note that the length of each Wj is n and hence we can invoke hk on Wj for all 

j G {0, . . . , iV — 1}. For any node U G we define x{U),y{U) and w{U) to be 
the X, y and w strings associated to the node U as defined respectively in (8), (9) 
and (10). Similarly the output of node U will be denoted by z{U). 

Now we are ready to describe the digest computation algorithm. Most of the 
work has already been done, so that the description of the algorithm becomes 
simple. Suppose the compression UOWHF is {hk}kGJC- We describe the digest 
computation of Hp’^\x). 

Algorithm to compute H^*’®^(a:) 



1. for j = 0 to T — 1 do 

2. for all U with level ([/) = j do in parallel 

3. compute z{U) = hk{w{U)); 

4. end do; 

5. end do; 

6. return zq. 
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5 Conclusion 

In this paper, we have formalized the model for masking based domain extending 
algorithms. Using this formal model, we obtained a lower bound on the minimum 
amount of key expansion required by any masking based algorithm. Our second 
contribution has been to develop a simple and efficient parallel domain extender. 
The key expansion of our algorithm is almost everywhere optimal whereas the 
efficiency of parallelism is asymptotically optimal. 
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Abstract. Universal One-Way Hash Functions (UOWHFs) are families 
of cryptographic hash functions for which first a target input is chosen 
and subsequently a key which selects a member from the family. Their 
main security property is that it should be hard to hnd a second input 
that collides with the target input. This paper generalizes the concept 
of UOWHFs to UOWHFs of order r. We demonstrate that it is possible 
to build UOWHFs with much shorter keys than existing constructions 
from fixed-size UOWHFs of order r. UOWHFs of order r can be used 
both in the linear (r -I- l)-round Merkle-Damgard construction and in a 
tree construction. 

Keywords: Hash Function, Collision Resistant Hash Function (CRHF), 
Universal One-Way Hash Function (UOWHF), Higher Order Universal 
One-Way Hash Function. 



1 Introduction 

Since the introduction of the notion of UOWHFs by Naor and Yung in 1989 [5], 
it is widely believed that UOWHFs form an attractive alternative to CRHFs 
(Collision Resistant Hash Functions). The main requirement for a UOWHF is 
that it is hard to find a second preimage. First a challenge input is selected by 
the opponent, subsequently a key is chosen which selects a member of the class 
of functions and only after this choice the opponent has to produce a second 
preimage with the same hash value (for this key) as the challenge input. This 
should be contrasted to CRHFs, where first a key is selected and subsequently a 
two colliding inputs need to be found; due to the birthday paradox, a black box 
approach for a CRHF with an n-bit result takes on average about 2”/^ queries. 
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Simon [10] has demonstrated that a UOWHF is a strictly weaker concept than 
a CRHF. UOWHFs can replace CRHFs in many applications; even for digital 
signatures this is feasible, but it should be noted that one becomes vulnerable 
to attacks by the signers (who can cheat and choose the key before the target 
message). The concept of UOWHFs has been generalized by Zheng et al. [12] 
and by Mironov [4]. 

A standard approach to construct hash functions that take input strings of 
arbitrary length is to start from a compression function that compresses input 
strings of fixed length. For CRHFs, the Merkle-Damgard construction is a widely 
used and efficient method [2,3]. Both authors showed independently that it is 
sufficient for the hash function to be collision resistant that the compression 
function is. Damgard also proposed a tree construction. Naor and Yung showed 
that it is possible in principle to build UOWHFs by composition [5]. However, 
Bellare and Rogaway showed that even if the compression function is a UOWHF, 
a 2-round Merkle-Damgard iteration of this function may not be a UOWHF. 

Subsequently, provably secure constructions have been developed based on 
compression functions at the cost of an increase in key length. Bellare and Rog- 
away [1] propose two types of constructions. 

— The first type has a linear structure; two variants of the Merkle-Damgard 
construction were shown to be secure: the basic linear hash and the XOR 
linear hash. Later, Shoup improved the XOR linear hash construction. He 
shows that if one has a fixed size UOWHF which maps n bits to m bits (with 
n > m), one can construct a UOWHF that can hash messages of bit-length 
2^{m — n) + m bits to m using a key of bit-length t ■ m and 2* applications 
of the compression function. Mironov has proved that this construction is 
optimal in terms of key size among linear constructions [4] . 

— The second type has a tree structure. Here the two constructions with a 
security proof are the basic tree hash and the XOR tree hash (they extend 
the work of [5]). XOR tree hash has subsequently been improved further, a.o. 
by Sarkar [7,8] and by Lee et al. [11], who reduce the key size and extend 
these structures to higher dimensional parallel constructions. 



1.1 Motivation 

The special UOWHF made by Bellare and Rogaway [1] loses its universal one- 
wayness when it is extended to 2-round Merkle-Damgard construction. This ex- 
ample motivated us to study general constructions that work for any UOWHF 
compression function. It means that the Merkle-Damgard construction cannot 
be used for extending a universal one-way compression function in general. How- 
ever, this property does not applied to all UOWHFs. The compression functions 
of certain UOWHFs may not lose their universal one-wayness until they are ex- 
tended to 3-round Merkle-Damgard construction. In this case, a 2-round Merkle- 
Damgard construction based on the compression function can be used as another 
compression function and so the key size of the whole scheme is reduced by a 
factor of 2. This lead to promising results, since an important goal of research 
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on constructions extending UOWHFs has been optimalization of the key size. 
We began with the Merkle-Damgard construction, but we found that the tree 
construction has the same problem as the Merkle-Damgard construction. 

Intuitively, a UOWHF which does not lose its universal one-wayness until 
it is extended to 3-round Merkle-Damgard construction is a slightly stronger 
primitive than Bellare-Rogaway’s special UOWHF. More generally, a UOWHF 
which does not lose its universal one-wayness until it is extended to more round 
Merkle-Damgard construction is stronger. So, we need new security notions to 
classify UOWHFs. 

1.2 Our Contribution 

We define the order of a UOWHF. We can classify UOWHFs according to the 
order. The classes of UOWHFs of same order form a chain between CRHF and 
UOWHF classes. 

We show in Theorem 1 that if a UOWHF has a higher order, a Merkle- 
Damgard construction with more rounds based on it becomes a UOWHF. Theo- 
rem 3 states that if a UOWHF has a higher order, a tree construction with more 
levels becomes a UOWHFs. Theorems 1 and 3 are our main results. They con- 
sider collisions of the same length only, since we want to use our Merkle-Damgard 
and tree constructions only as a compression function which plays the role of a 
building block in the known constructions. Theorems 2 and 4 are generalizations 
of Theorem 1 and 3 which are mainly of theoretical interest. 

1.3 Organization of This Paper 

This paper is organized as follows. Section 2 introduces our notation and defini- 
tions and presents the counterexample of Bellare and Rogaway. In Sect. 3, our 
new definition of higher order UOWHFs is introduced. Section 4 and 5 present 
respectively the Merkle-Damgard and the tree construction based on higher or- 
der UOWHFs. Some concluding remarks are made in Sect. 6. 

2 Preliminaries 

We will follow the notation and computation models in [1] . 

2.1 Notation 

We denote the concatenation of strings x and x' by x\\x' or xx' . U” is the set 
of all strings of bit-length n. We use the notation U™ instead of T'"’" when we 
want to stress that each string consists of m blocks of bit-length n. The set of 
all strings whose lengths are multiple of n is denoted by 27+ . 

A hash function family is a function H : 27* x 27™ ^ 27'^, where 27* is the 
key space, 27™ is the message space, and 27° is the set of hash values. We often 
need to change 27™ to describe different hash function families. 

R 

We write x < — 27" for choosing a string of n-bit length uniformly at random. 
For a string x, \x\ is its bit-length. When A is an algorithm, program or adversary. 
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A{x) y means that A gets an information of x to output y. When we want to 
address that A has no information to outputs y, we write A(null) y with the 
null string null. 

We take the RAM (Random Access Machine) model of computation which is 
also used in [1] , and measure the running time of a program with respect to that 
model. If H : x A’” ^ is a hash function family, we let Th indicate the 

worst-case time to compute H{K,x), in the underlying model of computation, 
when K G and x G A’". 



2.2 Definitions of CRHF and UOWHF 

Recently, Rogaway and Shrimpton suggested seven simple and nice definitions 
of hash functions including CRHF and UOWHF [6], but we prefer to use some 
games to define our objects and to describe our work. 

Definition 1 (CRHF). A hash function family H : A* x A™ ^ A°, m > c, is 
{t,e)-CRHF if no adversary A wins in the following game with the probability e 
and within the time t: 

Game(CRHF,A,iL) 

K JL jjk 

A{K) (x, x') 

A wins if x ^ x' and H{K,x) = H{K,x'). 

In the game of Definition 1, the adversary gets the key K oi H . This implies 
that the adversary knows everything about H(K, ■) and so it can try any exper- 
iments until it produces its output within the time t. However, the behavior of 
the adversary is more restricted in Definition 2. 

Definition 2 (UOWHF). A hash function family H : A^ x A™ ^ A°, m > c, 
is {t,e)-UOWHF if no adversary A = (Ai,A 2 ) wins in the following game with 
the probability e and within the time t: 

Game(UOWHF,A,iL) 

Ai{null) — > {x, State) 

A 2 (AT, X, State) x' 

A = (Ai, A 2 ) wins if X ^ x' and H{K,x) = Fl{K,x'). 

In Definition 2, algorithm A\ outputs the target message x. The only infor- 
mation which the adversary has before producing the target message is FI. State, 
the other output of Ai, is some extra state information which helps A 2 to find 
a collision. Algorithm A 2 outputs the sibling message x' on input (x. State). 

Strictly speaking, when we are given F[ : A^ X A™ ^ A°, we should call it a 
CRHF family or a UOWHF family, but for simplicity we often just call it CRHF 
or UOWHF. 
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3 Higher Order UOWHFs 

Let us revisit Definition 2. No access to any oracles is given to Ai. Ai outputs 
(cc, State) with no information. So, random selection of K from /C is independent 
of Ai’s behavior. Consequently, changing the order of steps 1 and 2 in the game 
doesn’t effect the success probability of the adversary. So, the following game is 
essentially equivalent to the game in Definition 2. 

Definition 3. A hash function family H : x 27™ ^ S‘^,m > c, is {t,e)~ 

UOWHF if no adversary A = (Ai,A 2 ) wins in the following game with the 
probability e and within the time t: 

Game(UOWHF', A, H) 

K JL 

Ai{null) — > {x, State) 

A 2 {K, X, State) x' 

A = (Ai,A 2 ) wins if x ^ x' and H{K,x) = H{K,x'). 

However, unlike the game in Definition 2, we can add an oracle ) 

the game in Definition 3, which gets a query x and returns y = H{K,x). We 
can then allow the adversary to access the oracle before he chooses the target 
message. Now we give the following definition. Let Q be a set of adaptive query- 
answer pairs associated with the oracle ) which is initialized to the empty 

set 0 in the game. 

Definition 4 (r-th Order UOWHF). A hash function family H : 27*’x27™ ^ 
27‘’,m > c, is {t,e)-UOWHF{r) if no adversary A = {A\,A 2 ) wins in the follow- 
ing game with the probability e and within the time t: 

Game(UOWHF(r), A) 

K ^ S^-Q ^0 

if r > 0 do: 

for f = 1, ..., r do: 

Ai{Q) Xi 

y. ^ OH{K,Xi) 

Q ^ {{Xi,yi)} U Q 
^i{Q) {x, State) 

0.2 (iF, X, State) x' 

A = (Ai,A 2 ) wins if x ^ x' and H{K,x) = H{K,x'). 

Indeed, the hash function families which satisfy Definition 3 can be regarded 
as UOWHF(O) families. The relationships among Definitions 1, 2, 3 and 4 can 
be summarized as follows. 

Proposition 1. Let H : 27^ x 27™ ^ 27'^, m > c, be a hash function family. 
Then, 
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1. H is a {t,e)-UOWHF ^ H is a {t,e)-UOWHF{0) . 

2. For any r > 0, H is a {f ,e)-UOWHF{r + 1) ^ H is a {t,e)-UOWHF{r), 
where t = t' — 0 {Th + m + c) . 

3. For any r > 0, F[ is a {t' ,e)-CRHF ^ FI is a {t,e)-UOWHF{r), where 
t = t' — 0{r){TH + m + c). 

Proof. The proofs of 1 and 2 are trivial. So, we only prove 3. Suppose that 
A = (Ai,A 2 ) is an adversary for FI in the UOWHF(r) sense. We use it to make 
the adversary B who works in Game(CRHF,B, iL) as follows. 

Game(CRHF,B, H) 

K JL jjk 

B{K) do: 

g^0 

if r > 0 do: 

for i = 1, ...,r do: 

^i(g) ^ Xi 
yi ^ H{K, Xi) 

Q ^ {{xi,yi)} U Q 
^i{Q) {x, State) 

0-2 (RT, X, State) x' 
output {x,x') 

In the above game, B simulates for A^. Since B just outputs a 

collision which A found, the probability that B wins the game is same as A. The 
running time of B is at most t + 0{r){TH + m + c). □ 

We claim that Ft is not a UOWHF(l) in Bellare and Rogaway’s example [1]. 
If the adversary asks any query x and get the answer y = Fl{K,x), then he 
would obtain the key K and can make a collision easily. 

4 Merkle-Damgard Construction Based on Higher Order 
UOWHF 

Suppose we have a hash function family Ft : x ^ where m is 

a positive integer. The Merkle-Damgard construction of FI with variable initial 
value gives a hash function family MD[iL] : x x 27+) ^ For each 

key K G E^ and any message x = Xi)Xi...Xm where xq G E‘^ and Xi G E™ for 
z = 1, ...,n, MD[iL] is defined as follows. 

Algorithm MD[F[]{K,x) 
n ^ (|a;| — c)jm 
Vo ^ a^o 

for z = 1, ..., n do: 

yi ^ HK{yi-i\\xi) 

return z/„ 
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If MD[iJ] only takes (c -I- nm)-h\t messages for a fixed n, it would always 
have n rounds. In that case we use the notation MD„[i 7 ] instead of MD[i?]. 
In the following theorem, we say that if is a UOWHF(r), the (r -|- l)-round 
MDr+i[iJ] is aUOWHF. 




Fig. 1. 3-round Merkle-Damgard construction MD3[7/] 



Theorem 1. Let H : x ^ he a {t\e')-UOWHF{r). Then, MD^+i 

[H] : X ^ E<^ is a {t,e)-UOWHF, where e = {r + l)e' and t = 

t' - 0{r){TH + m + c). 

Proof. Let x, x' G ^c-i-(r-i-i)m ^ collision for ME>r+i[H]{K, •). We observe that 

there exists an index j S r-|-l} such that 



MD[H]{K , xqXi ■ • ■ Xj) = MD[H]{K , Xqx'i • • ■ x'j) 

MD[H]{K,xoXi ■■■Xj-i)\\xj yf MD[H]{K , Xqx'^ ■ ■ ■ x'j_i)\\x'j. (1) 



We will exploit this below. 

Assume that A = (^1,^2) is an adversary who breaks MDr-i-i[iL] with in- 
puts of equal-length in the UOWHF sense. We use it to make the adversary 
B = who works in the Game(UOWHF(r),i?, iJ) as follows. 

Game(UOWHF(r),S, H) 

K ^ E'^- Q ^ 0 

if r > 0 do: 

for j = 1, ..., r do: 

Bi{Q) do: 

if j = 1 do: 

Ai{null) {x, State a) 

Vo ^ Xq 

query yo\\xi to ) 

if j > 1 do: 

query yj-i\\xj to 

y. <_ QH(K,yj-^\\xj) 

Q ^ {(yy_i I , yy )} U Q 
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Bx{Q) do: 

i ^ + 1} 

output {yi_i\\xi, States) 

B 2 {K,yi_i\\xi, States) do: 

A 2 {K, X, State a) x' 

y'_i ^MD[H]lK,x'^x\---x'i_^) 

output y'i_^\\x'i 

The adversary B works in the game as follows. When j = 1, Q is empty and 
Bi runs A\ to obtain {x, State a) where x = xqXi ■ ■ ■ Xr+i- Then B\ sets ?/o to 
a;o and sends a query yo\\x\ to the oracle \ When j yf 1, Q is nonempty 

and Bi sends a query yj-i\\xj to the oracle \ After collecting r adaptive 

query-answer pairs, B\ selects i G 1} at random, and then outputs 

yi-i\\xi and States = {i,x, StateA) as the target message and an additional 
state information for B 2 , respectively. On input {K,yi-i\\xi, States), B 2 runs 
A 2 by giving (AT, x, State a) - Once A 2 outputs its sibling message x' , B 2 computes 
y)_i and outputs y)_i\\x) as its sibling message. 

Now we must bound the probability that {yi-i\\xi,y[_i\\x)) is a collision for 
H{K, •) in the game. Note that i was chosen at random, so if {x, x') is a collision 
for MDr+i[i?](AT, •) then we have i = j with probability l/(r -I- 1), where j is 
the value of Equation (1). So, s' > e/{r + 1). 

The running time of B is that of A plus the overhead. This overhead is 
0{r){Ts + m + c). The choice of t in the theorem statement makes all this at 
most t', from which we conclude the result. □ 

Assume that a domain T> and a range TZ are fixed. We regard the notion 
of UOWHF(r) as the class of all UOWHF(r). We also consider the class of all 
the hash functions which do not lose universal one-wayness (upto equal-length 
collisions) until they are extended to (r-l-l)-round Merkle-Damgard construction, 
UOW-MD(r). From Proposition 1 and Theorem 1, it is easy to see that these 
classes forms two different chains between the classes CRHF and UOWFIF with 
the same domain T> and the same range TZ, and that for each integer r > 0, 
UOWHF(r) implies UOW-MD(r+l) (see Fig. 2). 

We can generalize Theorem 1 to MD[iJ] taking inputs of variable length. We 
assume that the message is always padded such that its length is a multiple of 
m. There are many padding methods but we don’t mention any specific one. 
We use the notation (t, /xi, /X 2 , e)-UOWHF instead of (t, £)-UOWHF. is the 
bound on the length of the target message and /i 2 is the bound on the length of 
the sibling message. Note that the only restriction on /i 2 is that the algorithms 
on the sibling message should be computable in polynomial time. 

Theorem 2. Suppose FT : A*’ x ^ S'' be a {f ,e')-UOWFTF{r). Suppose 

yi — c and /i 2 — c are multiples of m. Then, for < c + {r + l)m and a proper 
II 2 , MD[iL] : X (A'” x A+) ^ S" is a ft, yi, pL 2 ,£)-UOWHF, where e = 

and t = t' — 6?(CTniax)(7A -l-TO-l- c) for = min{(/ii — c)fm, (/X 2 — c)/m} and 
CTmax = max{(/xi -c)lm, {^2 ~ c)/m}. 
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Fig. 2. Two chains between CRHF and UOWHF. Each arrow means the implication 




Fig. 3. 3-level tree construction TR 3 [_H] for the case of / = 3 



Proof. The proof is similar to that of Theorem 1 . 



5 Tree Construction Based on Higher Order UOWHF 



If we are given a UOWHF family H : x U™ — > and m is a multiple of 

c, we can extend it more efficiently by using a tree structure. If m = dc for a 
positive integer d, we can use a d-ary tree structure. Since a tree construction 
consists of parallel procedures, it can be more efficient than the Merkle-Damgard 
construction if multiple processors are available. 

Firstly, we define the parallel construction PA[id] on H. PA„[id] consists of 
n components PA„[id]i, ...,PA„[id]„. For K G each component function 
PA„[id]j is 



PA„[id],(iF,x) 



H{K, Xi) if |x| = dc 
Xi if |x| = c 



That is, the domain of PA„[id]i(AT, •) is while the domain of id (AT, •) 

is AF 
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We assume that we are given a; = xi • • • a;„ for each G 17° U 27'^°. For a key 
k G S^, PAn[H]{K,x) is defined as follows. 

Algorithm PA„[H]{K, x) 

n ^ logdc |a^l 

for z = 1 , n do: 

y* ^ PAn[H]i{K,Xi) 
return i/i|| • • • ||j/„ 



Now we define a tree construction TR[iL] based on H . We begin with the 
message space 27^ . We denote the tree construction on H to hash only messages 
in N'f* as TR/[iL]. For each key A G 27* and any message x G sf , TRjiJ] is 
defined according to: 



Algorithm TKi[H]{K, x) 

Level[Q] ^ x 

for z = 1, I do 

Level[i] ^ PA^i-i[H]{K, Level[i — 1]) 
return Level[l] 



Write Lewe/[0] = x as xq = a:o,ia;o ,2 • • • a^o,d' where Xo,i G 27° for z = 1, d‘. 
Then, we can see TRi[H]{K,x) is computed as follows. 

Level[0] = x^Xq Xq 

Level[l] = x\xl xf 



Level[l — 1] = ■ ■ ■ xf_^ 

Level[l] = x] 



where x{ = ■ ■ ■ x{'^i). 

The following theorem states that if H is a UOWHF(r) and r = (d* — 1)/ 
(d - 1), then TRz[id] is a UOWHF. 

Theorem 3. Let H : 27* x 27^ ^ be a {t' ,e')-UOWHF{r) and r = {d} — 
d)/(d-l). ThenTRi[H] : 27*x27^' ^ S‘^ is a {t,e)-UOWHF, where e = {r+l)e' , 
and t' = t + 0{d^){TH + dc). 

Proof. Assume that x,y € Sf: is a collision for TR; [id] (A, •). We observe that 
there exist a G {1,...,^} and (3 G {l,...,d*““} such that 






x^ = 

Ua 






( 2 ) 



We will exploit this below. 

Assume that A = (Ai, A2) is an adversary who breaks TR;[A] with inputs of 
equal- length in the UOWHF sense. We use it to make the adversary B = (Ri, A 2 ) 
who works in Game(UOWHF(r),R, A) as follows. 
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Game(UOWHF(r),B, H) 

K 

if r > 0 do: 

for w = 1 , I — 1 do: 
for = 1, do: 

Bi{Q) do: 

if {u, v) = (1, 1) do: 

Ai{null) {x, State a) 

query xj|| • • • ||a;g to 
if {u, v) ^ (1, 1) do: 

query \ to 

i?i(Q) do: 

output • • ■ \ \x{‘^-^, States) 

B 2 {K,x'f~^"^’^^^\ \ ■ ■ ■ \ \x{ti, States) do: 

A 2 {K, X, State a) y 

output 

The adversary B works in the game as follows. When {u,v) = (1, 1), Q is 
empty and Bi runs Ai to obtain {x, StateA) where x = o;J||---||xq G . 
Then, Bi sends a query xj|| • • • \\xq to the oracle When (u,v) yf (1, 1), 

Q is nonempty. B\ sends a query - • • \ \x'^_i to the oracle 

After collecting r adaptive query-answer pairs, Bi randomly selects i and j from 
{1,...,^} and {1, ..., respectively. The Bi outputs ■ -\Wi-i as 

the target message and States = (i, j, x, State a) as an additional state informa- 
tion for i? 2 . On the input • • • \\x{ti, States), B 2 runs A 2 by giving 

{K, X, StateA) - Once A 2 outputs its sibling message x' , B 2 computes and outputs 
^(l-i)d-i-i|| _ II sibling message. 

Now we must bound the probability that \\ • • ■ \\Xi^i,yl^J[^'^‘^~^^\\ ■ ■ ■ 

is a collision for H{K, •). The number of possibilities for {i,j) is at most 

-I- • • • -I- = (d* — l)/(d — 1). Note that i and j were chosen randomly and 

independently, so if x,yisa, collision for TR/ [H] {K, ■) then we have {i, j) = (a, /3) 
with probability {d — l)/(d* — 1), where (a,P) is the pair in Equation (2). So, 
e' > e{d — l)/(d* — 1). 

The running time of B is that of A plus the overhead, which is equal to 
G{d}){TH + dc). □ 

The tree construction can hash the messages of variable lengths like the 
Merkle-Damgard construction. We assume that we are given a message x. When 
[log^j = I, we pad x such that the length of the padded message x* is the 
smallest value larger than |a;| of the form |a;*| = (d* — qd + q)c for some integer 
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0 < q < d} Then, the number of applications of the underlying hash function 
is I + d + d'^ + ■ ■ ■ + d^~^ — q = ^[Ey ~ 'Z- Fig. 4, 5, 6 and 7 for the case of 
/ = 2, d = 4. We denote the set of the padded messages in such way by 

S{c,d) = {x & ^*||a;| = {d} — qd+ q)c for some integers I > 0 and 
0 < g < 

Now we generalize Theorem 3. 




Fig. 4. \x\/c = 16 = 4^ 






Theorem 4. Suppose H ■. x ^ be a {t' ,e')-UOWHF{r) . Suppose 
Hi = d'"' — qid + qi for i = 1,2. Then for fj,i < c(r(d — 1) + d) and a proper 
H 2 , TR[id] : X S{c,d) is a {t, e)-UOWHF, where e = a^ins' and 

t — t 0(cTjYiax) (d// 4“ dc) for fJjnin — ^aiiuj^ d —1 dll d— i ^ 2 } and (Tmax — 

max{^-gi,fa-g2} • 



Proof. The proof is similar to that of Theorem 3. □ 

6 Conclusion 

We defined the order of a UOWHF family and showed how much the efficiency 
of known constructions for UOWHFs is improved by the notion of the order. 
Our main results are as follows. 
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— If the order of the underlying UOWHF H is r, then the (r-l-l)-round Merkle- 
Damgard construction MDj.+i [H] is also a UOWHF. If the resulting function 
MDj.+i[H] is used as a building block in existing constructions with linear 
structure, the key size can be reduced with at most a factor of (r -|- 1). 

- If the order of the underlying UOWHF H : x ^ is r = 

then the /-level tree construction TRi[H] is also a UOWHF. If the resulting 
function TRi[H] is used as a building block in existing constructions with 
tree structure, the key size can be reduced with at most a factor of 1. 
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Abstract. MD2 is an early hash function developed by Ron Rivest for 
RSA Security, that produces message digests of 128 bits. In this paper, 
we show that MD2 does not reach the ideal security level of 2'^^®. We 
describe preimage attacks against the underlying compression function, 
the best of which has complexity of 2^®. As a result, the full MD2 hash 
can be attacked in preimage with complexity of 2^°^. 



1 Introduction 

Cryptographic hash functions are an important primitive used in various situa- 
tions. The main fields of applications are message authentication codes, digital 
signatures, and therefore certificates. Hash functions are also used as a building 
tool in many protocols and advanced constructions. 

By definition, a hash function iJ is a function mapping an input message m 
of arbitrary length to an output h of fixed length (typically this length ranges 
from 128 to 512 bits) ^ 

The main properties expected from a cryptographic hash function are: 

— Collision Resistance: it should be hard to find two inputs m and m! that 
map to the same output by H. 

— Second Preimage Resistance: for a given m, it should be hard to find a 
second input m' such that m and m' map to the same output by H. 

— Preimage Resistance: for a given challenge h, it should be hard to find 
an input m which maps to h hy H. 

More can be found on the theory of hash functions in [9, 10]. Most of the hash 
functions used in practice belong to the so-called “MD family”. This family of 
hash functions was initially developed by Ron Rivest for RSA Security. The first 
proposal was MD2 [7], an early, non-conventional, byte-oriented design. It was 
quickly followed by MD4 [11] and MD5 [12], two hash functions with a more 
modern, 32-bit-oriented design. Despite not being collision-resistant [3], MD4 
has inspired most modern hash functions designs, like the RIPEMD family or 
the SHA family. Over the last years, the effort on attacking hash functions has 
mostly concerned collision resistance [2-4, 15] , since this property is essential for 
many applications. However, few results have been reported regarding (second) 
preimage attacks for these hash functions (see [5,9]). 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 214-229, 2004. 
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In this paper, we focus on the MD2 hash function [7]. Despite being the oldest 
hash functions from its family, and despite using an old-fashioned architecture, 
MD2 is still used in several contexts. For instance, if we look at the recent PKCS 

v2.1, a cryptographic standard from RSA Security [17], the MD2 hash is still 
given as an example of one-way, collision-resistant hash function, while MD4 
has been removed, presumably because of Dobbertin’s collision attack [3]. In 
addition, it is precised that “MD2 (is) recommended only for compatibility with 
existing applications based on PKCS #1 vl.5”. The underlying explanation is 
that the use of MD2 was highly encouraged in the previous version from 1993 [16] 
where MD2 was recommended as a “conservative design”. This confidence in 
MD2 is not surprising because, despite being quite inefficient and based on an 
older design philosophy, MD2 has surprisingly well resisted to cryptanalysis. The 
only attack known is a collision attack against the compression function [14] . This 
attacks works with the correct IV, however it no longer works when a checksum 
is appended to the message, as imposed in the specifications [7]. For the full hash 
function, no attack is known. 

Consequently MD2 still appears in various applications and even some pro- 
posed standards [1]. However, the crucial security point regarding MD2 is now 
its use in public-key infrastructures. Many certificates have been generated with 
RSA-MD2 in the past and many of them are still widely used (like Verisign cer- 
tificates for instance). Actually, anyone can easily verify that recent versions of 
Windows are delivered with those MD2 certificates. Therefore millions of users 
are probably using MD2-based certificates on a regular basis. The security of 
certificates is a particular problem. Indeed, collision attacks do not threat the 
security of the scheme, because the input of the signature primitive (typically 
the usual primitive used with MD2 is the RSA signature) is fixed. An attacker 
needs to find a collision between two inputs of MD2, one of them being the 
data part of the certificate. If he succeeds, he will manage to forge a new valid 
certificate. Hence what is required here is exactly second preimage resistance of 
MD2. This is an important motivation to analyze the security of MD2 regard- 
ing preimage and second preimage attacks, which is the focus of this paper. We 
obtained interesting new results and theoretical attacks. Since our best attack 
against MD2 is more efficient than a naive guessing attack in 2^^®, MD2 can no 
longer be considered a secure one-way hash function. 

First, we describe briefly the MD2 algorithm. Then, we focus on the compres- 
sion function and describe several attacks. The best is a pseudo-preimage attack 
with complexity 2^®. Finally, we show how to turn these attacks into an attack 
for the full hash, which is not straightforward because of the checksum bytes. 

2 The MD2 Hash Function 

2.1 Generalities 

The MD2 Message-Digest algorithm was developed in 1989 by Ron Rivest. The 
actual specifications can be found in RFC 1319 [7]. This algorithm belongs, 
together with MD4 and MD5, to the family of hash functions developed by Ron 
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Rivest for RSA Security. However, compared to the other algorithms of the family 
(and to most actual hash functions), MD2 has several interesting particularities 

— MD2 is a byte-oriented hash function. Indeed all instructions handle 8 
bits of data. While this was useful for old architectures, today’s processors 
can manipulate words of (at least) 32 bits. Consequently all modern hash 
functions use 32-bit instructions. This is the case of MD4, MD5 and also for 
the hash functions of the RIPEMD and SHA families. 

— MD2 uses a checksum of 128 bits computed from the whole message and 
appended as the last input block of the compression function. Hence MD2 
does not follow the Merkle-Damgard construction, contrarily to most actual 
hash functions. Consequently classical results [9] on how to turn collisions 
on the compression function to collisions for the whole hash function do not 
apply here. This is the reason why the collision attack described in [14] does 
not extend to the full MD2 hash. 

— the compression function of MD2 has a different architecture from most 
modern hash functions. Indeed it does not look like a block cipher. Instead, 
a fixed “scrambling” function is iterated on a 384 bits long internal state. 
The initial state is derived linearly from a message block of length 128 bits 
and an intermediate hash of 128 bits. The final state is truncated to 128 bits. 
This function uses simple instructions like XOR and a nonlinear S-box. 

Therefore MD2 is a very early design of hash function and differs significantly 
from modern hash functions. In terms of efficiency, it compares quite bad to its 
challengers (mostly because of the byte-oriented structure). 

2.2 Description of MD2 

In this section, we describe more precisely the mechanisms used by the MD2 
hash function (see [7] for the full specifications). The general description of MD2 
is found in Figure 1. 



message with padding 




Fig. 1. The MD2 Hash Function 



All blocks manipulated have length 128 bits. We refer to the blocks of the 
message by Mq, . . . , M„. The first step of MD2 is to append a padding to the 
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initial message, then to compute a checksum block (that we call C). This in- 
creases the length of the message by 1 block. Finally the compression function 
(referred to as F) is applied iteratively to produce the hash value. If we call Hi 
the t-th intermediate hash, 

Hi+i = F{H,,Mi) 

The IV of the hash function is Hq and is set by default to 0. 

The Compression Function. A precise representation of the compression 
function F is given in Figure 2. Each box in this figure contains one byte. F 
is decomposed into 3 matrices - denoted by A, B and C - with 16 columns and 
19 rows each. The first row of each matrix is initialized respectively with Hi, 
Mi and Hi 0 Mi. Then the rows of each matrix are computed recursively from 
top to bottom. The last rows of B and C are not used. The ’0’ symbol denotes 
addition modulo 256. 
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Fig. 2. The Compression Function of MD2 



The computations are based on a function <f> from 16 bits to 8 bits. In the 
case of the matrix A, this can be described by the equations: 

Al = <p{Al-\AU) 

= A^-^(BS{AU) 

where S is a fixed S-box of size 8 bits. Equations for matrices B and C are 
exactly the same. This function (j) is represented in Figure 3. For the particular 
case 7 = 0, a byte extracted from another matrix is used instead of A*_^ (see 
Figure 2). 

The Checksum Function. The checksum C is computed from the blocks of 
message by iterating a non-linear checksum function, that we call G. Details on 
G are not relevant for our attacks. Basically G uses only basic operations like 
XOR and the S-box S. At a high-level, the following equations describe this 
mechanism: 



ICo = 0 

ICi+i = G(ICi,M,) 
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Fig. 3. The <j> function 



G is a complicated function, however it is straightforward to compute the 
intermediate checksum ICi from ICj+i and Mi. The final value IC„+i is the 
appended checksum C. A precise description of G is available in [7]. 

3 Collision Attacks Against MD2 

The only known cryptanalytic result against MD2 is the paper by Rogier and 
Chauvaud [14]. In this paper, collisions on the compression function of F are de- 
scribed. This attack works very well because the IV used in MD2 is O (although 
a variant is proposed for other IV’s with an increased complexity). Details of 
this attack are not essential here. The key idea is to use the symmetry between 
matrices B and C when Hi = 0. (the first rows are equal in this case). Unfortu- 
nately collisions cannot be extended to the full MD2 because of the checksum 
bytes. 

Although collision attacks may be of interest in many contexts, there are 
several arguments why researching efficient collision attacks for MD2 is no longer 
a major concern. 

— First, one has to take into account the dimension of MD2. The produced 
hashed values have length only 128 bits. Therefore birthday paradox attacks 
have complexity of the order of 2®^. This is not a satisfying level of security for 
modern applications. As an example, the MD5 hash function (whose output 
have also a length of 128 bits) is actually the subject of a distributed attack to 
find collisions [8] . It is clear that the interest of finding complicated shortcut 
attacks diminishes when efficient attacks using a large computational power 
are possible [18]. 

— Secondly, MD2 is no longer widely used in practice. For instance, in MAC or 
signatures, the collision resistance of a hash function is generally a require- 
ment, but MD2 is no longer recommended for such applications. However, 
as we mentioned previously, MD2 is still used in some certificates. In this 
context, collision resistance is not really a concern but preimage and second 
preimage resistance are required. 
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4 Preimage Attacks Against MD2 Compression Function 

A large variety of definitions for preimage and second preimage attacks exist in 
the literature, depending on what is a fixed challenge for the attacker and what 
can be freely chosen. A classical reference is [9], however a new classification of 
these notions has been recently given in [13]. 

In this section, we focus only on (preimage) attacks against the compression 
function of MD2. It is well known that these attacks can generally be extended 
to attacks against the whole hash (see [9]). 

4.1 Three Scenarios 

According to the previous notations, the compression function F operates by: 

where the Fit's are intermediate hash values and Mt is a message block (see 
Section 2.2). Basically we can consider 3 attack scenarios at this point: 

1. ili+i and Hi are given and the attacker must find an appropriate Mt. 

2. Hi^i and Mt are given and the attacker must find an appropriate Ht. 

3. Hi+i is given and the attacker must find appropriate Ht and Mt. 

Any of these attacks may be of interest to attack the whole hash. Obviously, 
the 1st and 2nd attack are very similar because the roles of Ht and Mt in F are 
almost symmetric. 

These 3 attack scenarios have received different names in the literature. Re- 
cently the names “aPre” (“a” stands for “always”), “ePre” (“e” stands for “ev- 
erywhere”) and “Pre” have been given to these 3 notions [13]. In [9], the ter- 
minology of “preimage resistance” and “pseudo-preimage resistance” is used. In 
the following sections, we envisage each scenario separately and propose new 
attacks. 

4.2 Attacking Scenario 1 

In this scenario, we suppose that Ht and i?i+i are a fixed challenge and our goal 
is to find an appropriate Mt such that 

Hi+i = F{H,,M,) 

First, we notice that a solution does not necessarily exist. Indeed all variables 
have length 128 bits, so in average only one solution Mt is expected, but there is 
no guarantee. We propose an attack that recovers all solutions corresponding to a 
given challenge {Ht, Ht+i). Basically our attack is a sophisticated combination of 
exhaustive search and meet-in-the-middle attacks. It proceeds with two distinct 
steps. In the following, we call (mo, . . . , mio) the 16 bytes of Mt. 

First Step. The first step of the attack is to derive all possible information from 
the challenge {Hi,Ht+i). These two objects are stored at the first and last row 
of matrix A (see Figure 4 where dashed cells correspond to the known bytes). 
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A 




Fig. 4. Initial knowledge when fli+i and Hi are fixed 





Fig. 5. Known values in the matrix A 



Because of the structure of </> (this function is used to compute the contents 
of the matrices, see Section 2.2), more information can be derived directly from 
the challenge. For instance, when A\_i and A\ are known, we can obtain A\~^ 
since: 



A\ = ^{A\ \A\_^) 

= A^i©S(4‘_i) 

In Figure 5, we represented by dashed boxes the large portion of A that 
can be directly derived this way. The second row is known because the byte 
introduced on the left hand side is known and always equal to 0. 

In addition, if we guess the byte introduced on the left hand side of 
the 3rd row in A (i.e. Cl^ + I), then we can derive the full content of matrix 
A by similar considerations. In particular the bytes A^^g’s are known, and also 
the bytes CJg’s for z > 0. 

Second Step. Then, the second step of the attack is to perform a meet-in- 
the-middle attack on the matrices B and C to find an appropriate value of Mi. 
Basically at this point, we know what enters on the left hand side of B and what 
exits on the right hand side of C. Hence, we apply the following “meet-in-the- 
middle” algorithm: 
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— Guess the 4 bytes {B \^, . . . , 

• for all values of the 8 bytes (mo, . . . , rn’j), 

* compute the 4 bytes {B],...,Bj) (this is possible because the se- 
quence of ^Is’s is known) 

* compute the 4 bytes (G7 , . . . , C7) (this is possible because Hi is 
known) 

* store these 4 -|- 4 = 8 bytes in a table Ti 

• sort Ti (which has 2®^ entries of 64 bits each) 

• Repeat the same process with (mg, . . . ,mi5) to obtain a table T 2 that 

contains also the bytes (R7 , . . . , , C 7 , . . . , C7 ) . 

• Find all collisions between Ti and T2. This can be done efficiently by 
computing the joint product T = Ti ixi T2 (see [19]) with complexity of 
the order of 2®^ 

• The resulting table T contains on average 2®^ candidate values for Mi = 

(mo, . . . ,mi5) 

• Loop over all these candidates to find all valid M^’s 

One can also refer to Figure 6 for the general philosophy of this attack. 
Dashed boxes represent the 8 bytes stored in tables Ti and T2, where we look 
for collisions. 



known initial guess known 

value (32 bits) value 





m0,...,m7 




m8,.-,ml5 




mO m7 




m8,.,.,ml5 











































Fig. 6. The general philosophy of the attack 



Analysis. In this attack, there are two outside loops. A loop of size 2® comes 
from the First Step of the attack (we need to guess one byte in order to find 
the full content of A). Besides an outside loop of length 2®^ is required in the 
“meet-in-the-middle” algorithm. Inside these loops we need to create and to sort 
the tables Ti and T 2 - Those are tables with 2®^ entrees, sorted using a key of 64 
bits. Sorting the tables can be done efficiently with an appropriate “bucket-sort” 
algorithm so the cost is above 2®"^ instructions. Creating the tables has also a 
cost of the order of 2®® instructions. Since these two operations are performed 
twice (once for Ti and once for T 2 ), the complexity is of the order of 

Complexity = 2® x 2®^ x (4 x 2®^) = 2®°® 

basic instructions. This corresponds approximatively to 2®® applications of the 
compression function (a quick estimation shows that about 2®^ instructions are 
needed for the compression function). 
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This should be compared to the complexity of an exhaustive search to find a 
preimage which would cost 2^^® applications of the compression function. How- 
ever, our attack requires about 2^^ bits of memory. High memory requirements 
are known to increase the “real” cost of attacks [20] . Nevertheless this complex- 
ity is of the order of while 2" would be expected for a good compression 

function on n bits. An improved attack is also proposed in Appendix A to reduce 
these memory requirements. Further improvements have been investigated but 
no attack with complexity below 2®”/^ was found. 

4.3 Attacking Scenario 2 

In the second scenario, the message block Mi is fixed and we search an appro- 
priate Hi . Attacking this scenario is very similar to attacking scenario 1 because 
there is an important symmetry in the compression function. 

In the previous attack we managed to reconstruct the content of A from the 
initial challenge, and then applied a “meet-in-the-middle” attack to B and C. In 
Scenario 2, we can reconstruct the content of B from the challenge (Mj, ffi+i) 
and then attack by the middle the matrices A and C. Details of this attack are 
not very helpful to break the full MD2 hash, so we decided not to explore further 
this scenario. 

4.4 Attacking Scenario 3 

Finally, we suppose that only is fixed, and the problem is to find any pair 
{Hi, Mi) solution of the equation 

Hi+^ = F{H„Mi) 

This type of attack is often referred to as a pseudo-preimage attack on the 
compression function [9]. Of course, it is easier to find such a solution because 
we have more degrees of freedom. Therefore we wish to find an attack with 
complexity better than the previous 2®®. In this section, we describe an attack 
with complexity of the order of 2^® against this scenario. 

The Attack. First, one should notice that many solutions exist to this problem. 
Indeed, we expect 



2128 

solutions in average. Therefore it is reasonable to impose some additional con- 
straints. 

Like for the previous attacks, we first derive all possible information from 
the given challenge here). In addition, we impose the constraint that 

Ajg = A\^ = c, where c is some constant, say c = 0 for instance. Figure 7 
represents the resulting known values in the matrix A. 

We observe that the complete rightmost column of A is known, which helps 
when considering the behavior of matrix B. At this point, a 6 bytes constant 
(fcg, . . . , /cs) is chosen at random. Then we apply the following algorithm: 
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Fig. 7. Known values in the matrix A 



~ Pick 2^^ messages Mi of the form 

where the rriiS are chosen at random. It is straightforward to compute the 
matrix B for each Mi since the rightmost column of A is known. Hence we 
build a table T (with 2^^ entries) where we store the rightmost column of 
B, i.e. the HJg’s. 

— Pick 2®'* intermediate hashes Hi of the form 

where the hi's are chosen at random^. It is straightforward to compute the 
complete matrix A for each Hi. Therefore all values CJg for i > 0 are also 
known. Besides 



Hi ® Mi = ® ko, ... ,k5 ® fcs) 

thus the 6 rightmost boxes of the first row of C are known and equal to 0. 
Hence a lot of information about C can be derived (see Figure 8). By the 
way, the bytes B\^ for 11 < i < 17 are also known at this point. We store 
these elements in a table T'. 



The final step of the attack is to find collisions on the objects of 56 bits 

that have been computed by two different means and stored in tables T and T' . 
Using the birthday paradox, we expect 2®° collisions because 

\T\ X \T'\ X 2-5® = 2^2 X 2^^ X 2-^^ = 2®° 



^ Actually there is an extra constraint, that < 7 i(Ao) = Aq. Thus only 1 out of 256 values 
of Hi are valid. Once (hi, . . . , hg) are chosen, the value of ho is fully determined. 
This induce no extra cost but must be taken into account when choosing the Hi’s. 
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All these collisions can be found efficiently by computing T txi T' (see [19]). 
Each collision corresponds to some pair {Hi, Mi). In order for this pair to solve 
the initial problem, we need an additional equality between 

— the bytes (B 15 , . . . , S 15 ) stored in table T 

— the value of the same bytes obtained when we fill up all the content of matrix 
C (which is possible for each candidate since Hi © Mi is now known). 

Hence a little extra processing is required to find a real solution and a condi- 
tion on 80 bits must be verified. However, we have candidates from the joint 
product of T and T' so one “real” solution should be found among them. The 
probability of failure {i.e. that no solution exists) can be roughly approximated 
to 1 ~ 0.368. Otherwise, we can pick a little more candidates for Mi and Hi or 
choose other constants. 

Analysis. The bottleneck in the previous attack is the time spent analyzing 
each of the candidates {Hi, Mi). However, using an “early-abort” strategy, 
most candidates can be eliminated after the first check for the value Bl^. There- 
fore, only half a row of matrix C must be computed in average. To compute the 
compression function, 3 x 18 = 54 rows are computed. So we have a speedup by 
a factor 

2 X 54 ~ 2®-'^® 

compared to a full computation of F. 

Therefore this pseudo-preimage attack has complexity of about com- 

putations of the compression function, and requires about 2 ^® bits of memory. 
This is much faster than the expected value of 2^^®. All attacks against the 
compression function are summarized in Table 1. 
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Table 1. Summary of the attacks against the compression function 



Attack 


Fixed Challenge 


Variable 


Time 


Memory 


Simple 


Hi+i and Hi 


Mi 


^ 93 — 


2 '" 


Improved 


Hi+i and Hi 


Mi 


295 


238 


Pseudo-Preimage 


Hi+i 


Hi and Mi 


273 


278 



5 Preimage Attacks for the Full MD2 Hash 

The objective of a preimage attack is, for a given challenge h, to find a message 
m such that hashing m with MD2 gives h: 

MD2(m) = h 

Classical techniques exist to turn attacks against the compression function 
into attacks against the full hash. However they apply to classical iterated hash 
functions, like those based on the Merkle-Damgard paradigm. The use of an 
additional checksum in MD2 make things slightly more complicated. 

5.1 Attacking MD2 Without the Checksum 

If we omit the checksum, it is straightforward to apply the previous attacks 
directly to MD2. For instance, the attack described in Section 4.2 is immediately 
useful. Indeed, for a given {Hi, Hi+i), we are able to find Mi such that: 

Hi+i = F{H,,Mi) 

faster than exhaustive search. If we take Hi = 0 {i.e. the IV of the MD2 spec- 
ifications) and Hi+i = h (the target value), the message of 1 block m = Mi 
basically solves the preimage problem (some extra work might be necessary to 
ensure the padding is correct). Anyway, this clearly no longer works when the 
checksum block is appended at the end. 

Preimage attacks against the full hash can also be found based on a pseudo- 
preimage attack (like the one described in Section 4.4, with complexity 2^^). For 
instance, a general meet-in-the-middle technique is: 

— Pick 2^°° random values of the first block of message Mi, and store all 
intermediate hashes Hi in a table Ti. 

— Apply 2^® times the pseudo-preimage attack and, for each solution {H 2 , M 2 ), 
store the intermediate hash H 2 in a table T 2 . 

— Search for a collision between some Hi in table Ti and some H 2 in table T 2 . 
The corresponding message m = {Mi, M 2 ) is a solution. 

Since 2^°° x 2^® = 2^^®, a collision is indeed expected. Hence this attack builds 
a solution m of length two blocks and has complexity of the order of 2^°^, which 
is faster than exhaustive search. However when the checksum is used, this input 
message is likely to be invalid. Indeed, we need a collision on the intermediate 
hash values and the intermediate checksums simultaneously. 
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5.2 A Chaining Attack 

The principle of chaining attacks is to iterate an attack against the compression 
function, while chaining the intermediate variables used in each attack. Here, we 
first choose at random a sequence of intermediate hashes of the form: 

0 = i?07 Hi, , Hi27, Hi 28 = h 

For each pair {Hi, Hi+i), we apply the attack of Section 4.2 to find all solu- 
tions of: 

Hi+i = F{H„Mi) 

A constraint we add is that at least two solutions Mi and M' must be found, 
for all i. Assuming F’ is a random function, this should happen with a reasonable 
probability (called p) . It can roughly be approximated by 1 minus the probability 
to have exactly 0 or 1 solution: 

p CS 1 - (1 - 2-128)2^=^-! _ (1 _ 2-128)2^^« 

~ 1 - 2 e"^ 

~ 0.264 

If there are less than 2 solutions, we throw away i?i+i and pick another value. 
In average, we need to apply 128 x ~ 2® times the attack of Section 4.2 to 
find an appropriate pair of solutions {Mi, M') for all i. 

Then, we have 2^28 possible messages that are solution of the preimage prob- 
lem for MD2 with challenge h (there are 2 possible blocks of message for all i). 
Among them, one of the message is likely to satisfy the checksum constraint, i.e. 
its last block should be the checksum of the 127 previous blocks. To find this 
message, a simple meet-in-the-middle attack applies: 

~ Compute the 2®"^ intermediate checksums IC 64 by testing the two possible 
blocks of message at all positions i,0 < i < 63. 

— Compute the 2 ®"^ intermediate checksums ICg 4 by inverting the checksum 
function G, starting for both values M 127 and M'i 2 t, and for all blocks of 
message at positions f,64 < z < 127. 

— Search for a collision between these 2 lists of 2®"* elements 

This technique is similar to the one used in [6] . The resulting attack against 
the full hash is only marginally slower than the attack against the compression 
function, since the deterioration corresponds to a factor 2®. Therefore it will 
cost about 2®^ x 2® = 2^°'^ applications of the compression function. In addi- 
tion, a memory of 2^^ bits is required (or 2^® using the improved algorithm of 
Appendix A). This is much faster than a naive exhaustive search. 

6 Second Preimage Attacks 

A second preimage attack consists, on the challenge of a message m, to provide 
a second message m' which gives the same MD2 hash: 

MD2(to) = MD2(m') 
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The resistance of MD2 against this type of attack is critical for the security 
of existing certificates. Indeed a certificate generally consists in a data part m 
and a signature of the data part. To compute this signature, a hash of the data 
part is generally computed. If an attacker is able to replace m with an other 
data part m' mapping to the same hash, he is able to forge a new certificate. 

If we omit the checksum blocks for MD2, it is straightforward to find a second 
preimage, based on the previous attacks. For any of the intermediate steps 

in the original message m, we apply the attack described in Section 4.2. With 
probability p ~ 0.26, another message block M', mapping Hi to i?i+i is found. 
Then we can simply substitute M' to Mi to forge a new certificate. 

Unfortunately, when the checksum is used, this attack no longer works be- 
cause the checksum is altered by the previous substitution. Therefore the last 
block of message is no longer valid. 

We could not find a dedicated second preimage attack against the full MD2, 
including the checksum bytes. An attack is still possible by applying a preimage 
attack on ft, = MD2(m). The result m! is a preimage of ft and is very likely to 
be different from m. Unfortunately m' is very constrained: 

— its length is at least 128 blocks (including the checksum block), so the mes- 
sage m! is of length > 2 Kbytes. Some variants of the attack can increase 
this message length but it is not possible to reduce it. This is slightly larger 
than a typical certificate, however a trade-off between the size of the forged 
certificate and the probability of success could also be envisaged. 

— at least 128 blocks in the forged certificates are random and therefore cannot 
be chosen by the attacker. 

All together, it seems difficult for the moment to forge new certificates that 
respect the required format. However we are not far from it and we think it 
is an interesting topic for further research. We encourage a deeper analysis of 
the MD2 hash function whose security, especially regarding (second) preimage 
attacks is important for many existing certificates. 

7 Conclusion 

In this paper, we described preimage and pseudo-preimage attacks against the 
compression function of MD2, the best of which has complexity 2^^. The re- 
sulting attack against the full hash (including the checksum) costs about 2^°"* 
applications of the compression function. As a consequence, MD2 can no longer 
be considered a secure one-way hash function. 

These results are also very interesting from a theoretical point of view, be- 
cause preimage attacks against hash functions are quite rare. Most of the research 
in recent years has focused on finding collisions for hash functions. 
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A A Memory-EfRcient Attack 

The attack described in Section 4.2 is much faster than an exhaustive search, 
however the large memory requirements make it highly unpractical and prob- 
ably contributes to under-estimate the “real” complexity. Here, we propose an 
improved attack regarding the data complexity. 

The general idea of the attack of Section 4.2 is to split the target Mi in two 
halves (mg,..., 7717) and {ms, ■■■ , 17115 ) of 64 bits each. The improved attack 
consists in splitting Mi in 4 parts instead of 2 using the following algorithm: 

- Guess the 6 bytes {(B^, (Bjg, Bf^), {C],C^)} 

• guess the 4 bytes mg, . . . , m3 

* compute and store in table T\ the bytes Bg, B|, Gg, Cf 

• guess the 4 bytes m^,. . . , mj 

* compute and store in table T2 the bytes Bg, B|, G|, G| 

• guess the 4 bytes mg, . . . , mu 

* compute and store in table Tg the bytes Bh , Bgg , Ch , Cfi 

• guess the 4 bytes mi2 , . . . , mig 

* compute and store in table T4 the bytes Bh , Bgg , Ch , Cfi 

• Compute the joint product T = Ti ix T 2 of size 2^^. It contains candidate 
values for (mg, . . . , my). 

• Compute the joint product T' = x T 4 of size 2^^. It contains candi- 
date values for (mg, . . . , mis). 

• Guess 2 additional bytes Bf^ and Bfg 

* For each element of T compute the 4 bytes By, B|, Gy , Gy 

* Compute similarly these 4 bytes for each element of T' 

* Search for a collision in the two resulting lists. 

• This results in a list of 2^^ candidates for (mg, . . . , mis). 

This slightly more complex attack has complexity of the order of 
2® X 2^® X 2^® X 2®^ ~ 2^°^ 

instructions, like previously. However the largest tables we handle have 2®^ en- 
tries of 32 bits. The philosophy of this improved attack is described in Figure 9. 



known initial guess initial guess initial guess known 

value (16 bits) (16 bits) (16 bits) value 




second guess 
(16 bits) 



Fig. 9. The general philosophy of the improved attack 
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Abstract. We investigate efficient protocols for password-authenticated 
key exchange based on the RSA public-key cryptosystem. To date, most 
of the published protocols for password-authenticated key exchange were 
based on Diffie-Hellman key exchange. It seems difficult to design efficient 
password-authenticated key exchange protocols using RSA and other 
public- key cryptographic techniques. In fact, many of the proposed pro- 
tocols for password-authenticated key exchange based on RSA have been 
shown to be insecure; the only one that remains secure is the SNAPI pro- 
tocol. Unfortunately, the SNAPI protocol has to use a prime public ex- 
ponent e larger than the RSA modulus n. In this paper, we present a new 
password-authenticated key exchange protocol, called PEKEP, which al- 
lows using both large and small prime numbers as RSA public exponent. 
Based on number-theoretic techniques, we show that the new protocol is 
secure against the e- residue attack, a special type of off-line dictionary 
attack against RSA-based password-authenticated key exchange proto- 
cols. We also provide a formal security analysis of PEKEP under the 
RSA assumption and the random oracle model. On the basis of PEKEP, 
we present a computationally-efficient key exchange protocol to mitigate 
the burden on communication entities. 



1 Introduction 

The design of authentication and key exchange protocol is usually based on the 
assumption that entities either share or own some secret data (called keys) which 
are drawn from a space so large that an adversary can not enumerate, either on- 
line or off-line, all possible keys in the space. In practice, however, cryptographic 
keys may often be substituted by human-memorable passwords consisting of only 
six to ten characters. The consequence is the proliferation of the so-called exhaus- 
tive guessing or dictionary attacks against many password-based systems [26]. 
Password guessing attacks have been around for so long, it seems paradoxical 
that strong authentication using only small passwords would be possible. In 1992, 
Bellovin and Merritt [5] showed that such paradoxical protocols did exist. They 
presented a family of protocols known as Encrypted Key Exchange, or EKE. By 
using a combination of symmetric and asymmetric (public-key) cryptographic 
techniques, EKE provides insufficient information for an adversary to verify a 
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guessed password and thus defeats off-line dictionary attacks. Following EKE, a 
number of protocols for password-based authentication and key exchange have 
been proposed, e.g., [2, 6, 8, 10, 11, 13, 15-17, 21, 25] A comprehensive list of 
such protocols can be found in Jablon’s research link [14]. 

Password-authenticated key exchange protocols are attractive for their sim- 
plicity and convenience and have received much interest in the research commu- 
nity. Over the last decade, many researchers have investigated the feasibility of 
implementing EKE using different public-key cryptosystems such as RSA, ElGa- 
mal, and Diffie-Hellman key exchange. Nonetheless, most of the well-known and 
secure variants of EKE are based on Diffie-Hellman key exchange. It seems that 
EKE works well with Diffie-Hellman key exchange, but presents subtleties when 
implemented with RSA and other public- key cryptosystems. In their original 
paper [5], Bellovin and Merritt pointed out that the RSA-based EKE variant is 
subject to a special type of dictionary attack, called e-residue attack. Based on 
number-theoretic techniques, Patel [22] further investigated the security of the 
RSA-based EKE variant and concluded that simple modifications of EKE would 
not prevent the RSA-based EKE variant from off-line dictionary attacks. In 
1997, Lucks [18] proposed an RSA-based password-authenticated key exchange 
protocol (called OKE) which was claimed to be secure against the e-residue 
attack. Later, Mackenzie et al. [19] found that the OKE protocol is still sub- 
ject to the e-residue attack. In [19], Mackenzie et al. proposed an RSA-based 
password-authenticated key exchange protocol (SNAPI) and provided a formal 
security proof in the random oracle model. The SNAPI protocol mandates that 
the public exponent e be a prime number larger than the RSA modulus n. This 
ensures that e is relatively prime to 

To avoid using large public exponents, Zhu et al. [27] proposed an “interac- 
tive” protocol which is revised from an idea of [5]. In the interactive protocol. 
Bob sends to Alice a number of messages encrypted using Alice’s public key. If 
Alice can successfully decrypt the encrypted messages, then Bob is ensured that 
the encryption based on Alice’s public key is a permutation. In [24], Wong et al. 
revised the interactive protocol of [27] to reduce the message size involved in the 
interactive protocol. Recently, Catalano et al. [9] proposed an interactive pro- 
tocol similar to that of [24] and provided a security proof in the random oracle 
model. A drawback of the interactive protocols [27, 24, 9] is the large communi- 
cation overhead involved in the verification of RSA public key. 

In this paper, we investigate RSA-based password-authenticated key ex- 
change protocols that can use both large and small primes as RSA public ex- 
ponent, but without inducing large communication overhead on communication 
entities. For this purpose, we develop a new protocol for password-authenticated 
key exchange based on RSA. The new protocol, called PEKEP, involves two 
entities, Alice and Bob, who share a short password and Alice possesses a pair 
of RSA keys, n, e and d, where ed=l (mod (p{n)). Unlike the protocol SNAPI, 
however, the new protocol PEKEP allows Alice to select both large and small 
primes for the RSA public exponent e. In the protocol PEKEP, Bob does not 
need to verify if e is relatively prime to 4>(n), and furthermore. Bob does not 
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have to test the primality of a large public exponent selected by Alice. Thus, the 
protocol PEKEP improves on SNAPI by reducing the cost of primality test of 
RSA public exponents. The protocol PEKEP also improves on the interactive 
protocols of [27, 24, 9] by reducing the size of messages communicated between 
Alice and Bob. Based on number-theoretic techniques, we prove that the proto- 
col PEKEP is secure against the e-residue attack as described in [5,22]. We also 
provide a formal security analysis of PEKEP under the RSA assumption and 
the random oracle model. 

To further reduce the computational load on entities, we present a computa- 
tionally efficient key exchange protocol (called CEKEP) in this paper. The pro- 
tocol CEKEP is derived from PEKEP by adding two additional flows between 
Alice and Bob. With the two additional flows, we show that the probability 
for an adversary to launch a successful e-residue attack against CEKEP is less 
than or equal to e, where £ is a small number (e.g., 0 < £ < 2“®°) selected 
by Bob. In the protocol CEKEP, the computational burden on Bob includes 
two modular exponentiations, each having an exponent of 0 ([log 2 £~^]) bits. 
When £ = 2“®*^, for example, the computational burden on Bob is lighter than 
that in a Diffie-Hellman based password-authenticated key exchange protocol. 
In the Diffie-Hellman based EKE variant. Bob needs to compute two modular 
exponentiations, each having an exponent of at least 160 bits. 

The rest of the paper is organized as follows. We provide an overview of 
the security model for password-authenticated key exchange in Section 2. In 
Section 3, we present the protocol PEKEP and investigate its security against 
e-residue attack. We describe the protocol CEKEP in Section 4 and pursue 
formal security analysis of PEKEP and CEKEP in Section 5. We conclude in 
Section 6. 



2 Security Model 

We consider two-party protocols for authenticated key-exchange using human- 
memorable passwords. In its simplest form, such a protocol involves two entities, 
say Alice and Bob (denoted by A and B), both possessing a secret password 
drawn from a small password space T>. Based on the password, Alice and Bob 
can authenticate each other and upon a successful authentication, establish a 
session key which is known to nobody but the two of them. There is present 
an active adversary, denoted by A, who intends to defeat the goal for the pro- 
tocol. The adversary has full control of the communications between Alice and 
Bob. She can deliver messages out of order and to unintended recipients, con- 
coct messages of her own choosing, and create multiple instances of entities and 
communicate with these instances in parallel sessions. She can also enumerate, 
off-line, all the passwords in the password space V. She can even acquire session 
keys of accepted entity instances. Our formal model of security for password- 
authenticated key exchange protocols is based on that of [2]. In the following, 
we review the operations of the adversary and formulate the definition of secu- 
rity. For details of the security model, we refer the readers to [2] . 




New Approaches to Password Authenticated Key Exchange Based on RSA 233 



Initialization. Let / denote the identities of the protocol participants. Ele- 
ments of I will often be denoted A and B (Alice and Bob). We emphasis that 
A and B are variables ranging over I and not fixed members of I. Each pair of 
entities, A,B £ I, are assigned a password w which is randomly selected from 
the password space T>. The initialization process may also specify a set of crypto- 
graphic functions (e.g., hash functions) and establish a number of cryptographic 
parameters. 

Running the Protocol. Mathematically, a protocol 77 is a probabilistic 
polynomial-time algorithm which determines how entities behave in response 
to received message. For each entity, there may be multiple instances running 
the protocol in parallel. We denote the 7-th instance of entity A as n\. The 
adversary A can make queries to any instance; she has an endless supply of U\ 
oracles {A £ I and 7 G N). In response to each query, an instance updates its 
internal state and gives its output to the adversary. At any point in time, the in- 
stance may accept and possesses a session key sk, a session id sid, and a partner 
id pid. The query types, as defined in [2], include: 

- Send(A, 7, M): This sends message M to instance II\. The instance executes 
as specified by the protocol and sends back its response to the adversary. 
Should the instance accept, this fact, as well as the session id and partner 
id will be made visible to the adversary. 

- Execute(A, 7, 7?, j): This call carries out an honest execution between two 
instances n\ and 77^, where A, B £ I , A B and instances II\ and 77;^ 
were not used before. At the end of the execution, a transcript is given to the 
adversary, which logs everything an adversary could see during the execution 
(for details, see [2]). 

- Reveal(A, 7): The session key sk\ of II\ is given to the adversary. 

- Test(A, 7): The instance II\ generates a random bit b and outputs its session 
key sk\ to the adversary if 6 = 1, or else a random session key if 5 = 0. This 
query is allowed only once, at any time during the adversary’s execution. 

- Oracle(M): This gives the adversary oracle access to a function h, which is 
selected at random from some probability space Q. The choice of Q deter- 
mines whether we are working in the standard model, or in the random-oracle 
model (see [2] for further explanations). 

Note that the Execute query type can be implemented by using the Send 
query type. The Execute query type reflects the adversary’s ability to passively 
eavesdrop on protocol execution. As well shall see, the adversary shall learn 
nothing about the password or the session key from such oracle calls. The Send 
query type allows the adversary to interact with entity instances and to carry 
out an active man-in-the-middle attack on the protocol execution. 

Definition. Let n\ and 77^, A yf 77, be a pair of instances. We say that II\ 
and 77]j are partnered if both instances have accepted and hold the same session 
id sid and the same session key sk. Here, we define the sid of U\ (or 77|j) as the 
concatenation of all the messages sent and received by U\ (or 77^). We say that 
n\ is fresh if: i) it has accepted; and ii) a Reveal query has not been called either 
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on n\ or on its partner (if there is one). With these notions, we now define the 
advantage of the adversary A in attacking the protocol. Let Succ denote the 
event that A asks a single Test query on a fresh instance, outputs a bit 6', and 
h' = b, where b is the bit selected during the Test query. The advantage of the 
adversary A is defined as = 2Pr(Succ) — 1. 

It is clear that a polynomial-time adversary A can always gain an advantage 
close to 1 if we do not limit her capability to perform on-line password-guessing 
attacks. In such an attack, the adversary picks a password tt as her guess and then 
impersonates as an instance to start the protocol towards another instance 
Ug. By observing the decision of II ^ (i.e., accepts or rejects), the adversary can 
test the correctness of the guessed password tt. Furthermore, by analyzing, off- 
line, the transcript of the execution, the adversary may be able to test passwords 
other than tt. For a secure protocol, we expect that the adversary can only test 
a single password in each on-line password-guessing attack. As suggested in [10], 
we use the Send query type to count the number of on-line guesses performed by 
the adversary. We only count one Send query for each entity instance, that is, if 
the adversary sends two Send queries to an entity instance, it should still count 
as a single password guess. Based on this idea, we have the following definition 
of secure password-authenticated key exchange protocol, which is the same as 
in [10]. 

Definition 1. A protocol II is called a secure password- authenticated key ex- 
change protocol if for every polynomial-time adversary A that makes at most 
Qsend {Qsend < IT’D qucrics of Send type to different instances, the following 
two conditions are satisfied: 

(1) Except with negligible probability, each oracle call Execute (A, i, B, j ) produces 
a pair of partnered instances II\ and 77^ . 

(2) Adv[)f^ < Qsend/\E\ -\- e, where \T>\ denotes the size of the password space 
and e is a negligible function of security parameters. 

The first condition basically says that when the adversary carries out an 
honest execution between two instances 7T^ and iT;^ (A yf B), both instances 
accept and hold the same session key and the same session id. The second con- 
dition means that the advantage of the adversary is at most negligibly more 
than Qsend/\E\ if she sends at most Qsend queries of Send type to different en- 
tity instances, or equivalently, if she interacts on-line with at most Qsend entity 
instances using the Send query type. 



3 Password Enabled Key Exchange Protocol 

In this section, we present a new protocol, called Password Enabled Key Ex- 
change Protocol, or simply, PEKEP. In the protocol PEKEP, there are two enti- 
ties, Alice and Bob, who share a password w drawn at random from the password 
space V and Alice has also generated a pair of RSA keys n, e and d, where n is 
a large positive integer (e.g., n > 2^°^^) equal to the product of two primes of 
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(roughly) the same size, e is a positive integer relatively prime to 4>{n), and d is a 
positive integer such that ed= 1 (mod 4>{n)). The encryption function is define 
by E{x) = a;® mod n, x G Z„. The decryption function is D{x) = x‘^ mod n. 
For a positive integer m, we define if™ recursively as E™{x) = E{E™~^{x)) = 
x^ mod n. Likewise, D"^{x) = D{D"^~^{x)) = x'^ mod n. Before describing 
the protocol, let’s review some of the facts of number theory. 

Let a be a positive integer relatively prime to n, we say that a is an e-th 
power residue of n if the congruence x® = a (mod n) has a solution in Z* . Let 
g be a positive integer relatively prime to n. The least positive integer i such 
that 5 * = 1 (mod n) is called the order of g modulo n. If the order of g is equal 
to 4>{n), then g is called a primitive root of n. It is known (see [1,23]) that a 
positive integer n, n > 1, possesses a primitive root if and only if n = 2,4,p* or 
2p*, where p is an odd prime and t is a positive integer. If n has a primitive root 
g, then a positive integer a relatively prime to n can be represented a,s a = g^ 



Alice (A) 
password: w 
RSA keys: n, e, d 




Bob (B) 
password: w 


r A Gr {0, 1}*’ 


rA,n,e,A 






vb,z 


e odd prime? and n odd? 
If yes, m = [logenj 
a Gr Z* , rs Gr {0, 1}*’ 
a = H{w,rA,rB,A,B,n,e) 
If gcd(a, n) = 1, A = a 
else A e_R Z* 
2 = E™(AE(a)) 


a = H{w,rA,rB,A,B,n,e) 
If gcd(a,n) 1, b Gr TL-n 
else b = D{a-^D'^{z)) 
g = Hi{b,rA,rB,A,B,n,e) 


d 






V 


g = Hi{a,rA,TB,A,B,n,e) 
Reject if not, else 
g = H 2 {a, VA, TByA, B, n, e) 
sk = Hsia, VA, vb,A, B, n, e) 


? 

V = H2(b,rA,rB,A,B,n,e) 

Reject if not, else 

sk = H 3 {b, VA, tb,A, B, n, e) 



Fig. 1. Password Enabled Key Exchange Protocol (PEKEP) 
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mod n, 0 < i < </)(n) — 1. The integer i is called the index of a to the base g 
modulo n, and is denoted by indgO. 

Define hash functions Hi, H 2 , : {0,1}* ^ {0,1}^ and H : {0,1}* ^ Z„, 

where fc is a security parameter, e.g., k = 160. Note that H can be implemented 
using a standard hash function h : {0, 1}* ^ {0, 1}^, where is the length of n, 
i.e., ^ = |"log 2 n] . On input x,H{x) = h{x), if h{x) < n, and H{x) = h{x) — \n/2\ 
if else. The protocol PEKEP is described in Fig. 1. Alice starts the protocol by 
sending her public key (n, e) and a random number Gr {0,1}* to Bob. 
Bob verifies if e is an odd prime and n is an odd integer. Bob may also verify 
that the integer n is large enough, e.g., n > If e is not an odd prime 

or n is not an odd integer, Bob rejects; otherwise. Bob computers an integer 
m = [logg/ij and selects two random numbers a Gr Z*, and tr Gr {0,1}*. 
Bob then computes a = H{w,rA,rR, A, B,n,e) and checks if gcd(a,n) = 1. If 
gcd(a,n) yf 1, Bob assigns a random number of Z* to A; otherwise. Bob assigns 
a to A. Next, Bob computes z = E™{XE{a)) and sends xr and z to Alice. 
Subsequently, Alice computes a using her password w and checks if a and n 
are relatively prime. If gcd(o;,n) yf 1, Alice assigns a random number of Z„ to 
the variable b. If gcd(a,n) = 1 and z is an e^-th power residue of n, Alice sets 
b = D{a~^ D"^{z)). Next, Alice and Bob authenticate each other using a and b 
and generate a session key sk upon successful authentication. 

Note that, when e is a prime number larger than n, Bob sets m = 0. In this 
case, the run of PEKEP is nearly identical to that of SNAPI. In the protocol 
PEKEP, Bob only verifies if the public exponent e is an odd prime and the 
RSA modulus n is an odd integer; Bob does not verify if e is relatively prime to 
4>{n). This may foster the so-called e-residue attack as described in [5, 22]. In the 
e-residue attack, an adversary, say, Eva, selects ttq G P as her guess of Alice’s 
password. She also selects an odd prime number e and an odd integer n such 
that e I </>(n), i.e., (n, e) is not a valid RSA public key. Then Eva impersonates 
as Alice and starts the protocol PEKEP by sending rR,n,e,A to Bob, where 
te G {0, 1}* is a random number generated by Eva. After receiving tr and z 
from Bob, Eva computes g. and sends it back to Bob. If Bob accepts, then Eva 
has a successful guess of Alice’s password (i.e., tto). If Bob rejects, on the other 
hand, Eva excludes her guess ttq from the password space T>. Furthermore, Eva 
may exclude more passwords by repeating, off-line, the following three steps: 

1) Eva selects a password tt from T>. 

2) Eva computes a = H {tt , r e , r r , A, B , n, e) . 

3) Eva tests if gcd(a,n) = 1. If not, Eva returns to step I; otherwise, Eva 

verifies if the congruence (aa;®)® = z (mod n) has a solution in Z* . If the 

congruence has a solution, Eva returns to step 1. If the congruence has no 
solution in Z* , then Eva knows that tt is not the password of Alice. Next, 
Eva excludes tt from T> and returns to step 1. 

We say that Eva succeeds if she can exclude more than one password in the 
e-residue attack as described above. In the following, we show that the protocol 
PEKEP is secure against e-residue attack. 
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Theorem 1. Let n, n > 1, be an odd integer with prime-power factorization 
n = Pi^P 2 ^ ■ . ■Pr'' ■ Let m be a non-negative integer and e an odd prime such that 
for any prime-power of the factorization of n, \ (j){pf'), 1 <i < r. If z 

is an e^-th power residue of n, then for any A G Z*, the congruence {Xx^Y = 
z (mod n) has a solution in Z* . 

Proof. To prove that (Ax®)® = z (mod n) has a solution in Z* , we only need 

to prove that, for each prime power of the factorization of n, the following 
congruence 

(Ax®)®” = z (mod pY) (1) 

has a solution in Z*a, . 

Pi 

Let Hi = pY , \ < i < r. Then 4>{rii) = pY~^{Pi ~ !)• Since n is odd, pi is an 
odd prime. Thus, the integer possesses a primitive root. Let g be a primitive 
root of Hi, that is, = i niod n^, and for any 0 < i,j < 4>{ni) — l,i Y J? 

5 * Y g^ mod Ui- Let gcd(e’", </>(ni)) = e®,0 < c < m. We consider the following 
two cases: 

(1) If c = 0, then e and (ffnf) are relatively prime. In this case, it is clear 

that the congruence (Ax®)® = z (mod nY) has a unique solution in Z*^. 

(2) Next, we consider the case that 1 < c < m. Since z is an e^-th power 
residue of n, the congruence j/® = z (mod n) has solutions in Z* . By the Chinese 
Remainder Theorem, the following congruence 

y®"* = z (mod Ui) (2) 

has solutions in Z*.. Let indgZ denote the index of z to the base g modulo n* 
and let y G Z*. be a solution of (2), then ^e^mdgiz-indgz ^ (mod rij). Since 
the order of g modulo Ui is (f>{ni), we have 

e^indgt/ = indgZ (mod Yi'^i)) (3) 

Also since gcd(e™, (j){ni)) = e®, equation (3) has exactly e® incongruent solu- 
tions modulo 4>{ni) when taking indgj/ as variable. This indicates that equation 
(2) has e® solutions in Z* .. Let j/o denote one of the solutions of (2), then the e® 
incongruent solutions of (3) are given by 

indgy = indgi/o + (mod (/'(n^)), 0 < t < e® — 1. (4) 

For any A G Z*, we have 

indgy — indgA = indg?/o ~ indgA -I- t(f>{ni)/e'^ (mod 4>(jii)), 0 < f < e® — 1. 

Under the condition that it is clear that e \ 0(rii)/e®. Hence, 

(/)(ni)/e® = 1 (mod e). So, there exists an integer t, 0 < t < e® — 1, such that 

indgj/o ~ indg A-|-t(/)(ni)/e® = 0 ( mod e) , 

which implies that there exists an integer y G Z*. , such that y® = z (mod nY 
and yX~^ is an e-th power residue of rij. Therefore, equation (1) has a solution 
in Z* ., which proves the theorem. □ 
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In PEKEP, Bob sets m equal to [logg nj . Thus, for every prime-power of 
the factorization of n, we have > n > By Theorem 1, for any A G Z*, 

the congruence (Ax®)® = z (mod n) has a solution in Z*, where z is the e-th 

power residue computed by Bob. Hence, by repeating (off-line) the three steps 
as described previously, Eva could not exclude any password from the space V. 
So, the protocol PEKEP is secure against e-residue attacks. In Section 5, we 
will provide a formal analysis of PEKEP within the security model described in 
Section 2. 

At the beginning of PEKEP, Bob needs to test the primality of the public 
exponent e selected by Alice. When e is small, e.g., e = 17, the primality test only 
induces moderate overhead on Bob. When e is large (e.g., e > 2®^^), however, the 
computational load for the primality test would be tremendous. In the following, 
we show that primality test of large public exponents by Bob could be avoided 
with slight modification of PEKEP. In the protocol PEKEP, Bob can actually 
select a small prime number e' (e.g., e' = 3) and replaces Alice’s public key (n, e) 
by (n,e'), that is, Bob computes m,a, z,r], sk using (n, e') instead of Alice’s 
public key (n, e). Theorem 1 demonstrates that the replacement does not lead 
to e-residue attacks, even if e' is not relatively prime to <()(n). So, when the public 
exponent e received from Alice exceeds a threshold. Bob replaces e by a smaller 
prime number e' (2 < e' < e) of his own choosing. Bob sends tb,z, and e! to 
Alice in the second flow. After receiving e' from Bob, Alice tests if e' is relatively 
prime to </>(n). If gcd{e' , (j){n)) yf 1, Alice sends a random number G {0, 1}^ to 
Bob; Alice may select a smaller prime number for e in the next communication 
session. If gcd(e',^(n)) = 1, Alice replaces her decryption key by d' and then 
proceeds as specified in Fig. 1, where e'd' = 1 (mod <p{n)). 

In each run of PEKEP, Bob computes m -I- 1 encryptions using Alice’s public 
key (n, e), where m = [logg nJ . The computation time for the m-l-1 encryptions is 
0((log2 n)^), which means that the computational load on Bob is about the same 
as that in SNAPI. As discussed above, however. Bob does not have to perform 
primality test of large public exponents. Hence, the protocol PEKEP still im- 
proves on SNAPI by reducing the cost of primality test of RSA public exponent. 
Since Alice has knowledge of <)'(n), she only needs to perform two decryptions in 
each run of PEKEP; one using the decryption key d\ = d and another using the 
decryption key c ?2 = d™ mod (j>{n). Note that the computational load on Bob is 
high even when e is small. In Section 4, we present a computationally-efficient 
key exchange protocol which greatly reduces the computational load on Bob. 



4 Computationally-EfRcient Key Exchange Protocol 

In this section, we present a Computationally-Efficient Key Exchange Proto- 
col (CEKEP), which is described in Fig. 2. The protocol CEKEP is based on 
PEKEP, but the number of encryptions performed by Bob is less than [logg nJ , 
where (n, e) is the public key of Alice. In the protocol CEKEP, Bob selects a 
small number e, 0 < £ < 2“®°, which determines the probability of a successful 
e-residue attack against the protocol CEKEP. Alice starts the protocol CEKEP 
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by sending her public key n, e and two random numbers p, ta &r {0, 1}*^ to Bob. 
Bob verifies if e is an odd prime and n is an odd integer. If not, Bob rejects. 
Else, Bob computers an integer m based on e and e as m = [logg£“^]. Then 
Bob selects a random number q Gr {0, 1}^ such that j = H{n, e, p, g, A, B, m) 
is relatively prime to n. Bob sends g and m to Alice. After receiving g and m, 
Alice computes u = £>’”( 7 ) and sends it back to Bob. Subsequently, Bob verifies 
if Alice has made the right decryption, i.e., E™{u) = 7 . If 7 E™{u), Bob 

rejects. Else, Alice and Bob executes the rest of the protocol as in PEKEP. 



Alice (A) 
password: w 
RSA keys: n, e, d 




Bob (B) 
password: w 
0 < e < 2"®° 


P,ta &r {0, 1}*^ 


p,rA,n,e,A 






Q, m 


e odd prime? and n odd? 
If yes, m = [loggS"^] 

H{n,e,p,g,A,B,m) G Z* 


'y = H{n,e,p,Q,A,B,m) 
u = L»™(7) 


u 






z, Tb 


7 = E™(m) 
Reject if not, else 
a €r Z*, Tb €r {0, 1}* 
a = H{w,rA,rB,A,B,n,e) 
If gcd(a, n) = 1, A = a 
else A Z* 

z = E^-\XE{a)) 


a = H{w,rA,rB,A,B,n,e) 
If gcd(a, n) yf 1, 6 Gr 
elseb^ 

p = B:i{b,rA,rB,A,B,n,e) 


P 






V 


7 

p = Hi{a,rA,rB, A, B,n,e) 
Reject if not, else 
V = H 2 {a,rA,rB,A,B,n,e) 
sk = H3{a,rA,rB,A,B,n,e) 


7 

7 = H2{b, ta, tb, a, B, n, e) 

Reject if not, else 

sk = H3{b,rA,rB,A,B,n,e) 







Fig. 2. Computationally-Efhcient Key Exchange Protocol (CEKEP) 
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A major difference between CEKEP and PEKEP is that the protocol CEKEP 
adds two additional flows between Alice and Bob. Through the two flows, Alice 
and Bob establish a random number 7 G Z* . Then Alice decrypts the random 
number 7 repeatedly m times. If the m repeated decryption is correct, i.e., 
7 = E™{u), then it can be concluded that, except with probability as small 
as e”™, the integer e™ does not divide 4 >{pT) ^^r every prime-power of the 
factorization of n. 

Theorem 2. Let n, n > 1, be an odd integer with prime-power factorization 
n = Pi^P2^ ■ ■ ■ p“’' . Let m he a positive integer and e an odd prime. Lf there exists 
a prime power, say p^' , of the factorization of n such that \ 4>{p1'), then for 
an integer 7 randomly selected from Z* , the probability that 7 is an e^-th power 
residue of n is less than or equal to e”'". 

Proof. Let Uj = be a prime power of the factorization of n such that e™ | 
4>{ni). Since n is odd, Ui possesses a primitive root. Let g be a primitive root of 
Hi. For an integer 7 randomly selected from Z* , let indg7 denote the index of 7 
to the base g modulo n^. Then 7 is an e™-th power residue of if and only if 
the congruence =7 (mod Ui) has a solution, or equivalently, if and only if 

^e-i„d,x-ind,7= 1 (jnod m) , 



which is equivalent to 



e^indga: = indg7 (mod 4>{ni)). 

Since e™ | 7 is an e^-th power residue of rij if and only if e™ | ind^y. 

Let n' = n/ui, then and n' are relatively prime. For any integer /? G 
Z*, it is clear that (3 mod nt and (3 mod n' are integers of Z*. and Z*, , 
respectively. On the other hand, for two integers ai G Z*. and 02 G by 
the Chinese Remainder Theorem, there is an unique integer a G Z* , such that 
a = ai (mod Ui), and a = a2 (mod n'). So, the number of integers a G Z* 
which satisfy the congruence a = ai ( mod n^) is If 7 is randomly selected 

from Z* , then for any integer s, 0 < s < </>(rij) — 1, we have 

Pr(5® = 7 mod m) = 4>{n[) / (fin) = l/</)(ni), 

which implies that Pr(indg7 = s) = l/4>{ni). Hence, 

Pr{e^ I indg7) = ^ Pr(indg7 = s) 

|s, 0<s<.(f){ni) 

= / (j>{ni) 

= e"™ 

which indicates that, for an integer 7 randomly selected from Z* , the probability 
that 7 is an e^-th power residue of Ui is equal to e“™. So, the probability that 
7 is an e^-th power residue of n does not exceed 6“™. □ 
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Theorem 2 demonstrates that, if there exits a prime-power of the fac- 
torization of n such that e™ | then for a random number 7 S Z*, the 

probability that Alice can decrypt 7 repeatedly m times is less than or equal to 
If the number u received from Alice satisfies the equation E'^{u) = = 

7 mod n, i.e., 7 is an e'^-power residue of n, then Bob is ensured with prob- 
ability greater than or equal to 1 — 6 “™ that, for every prime-power of the 
factorization of n, e™ | (f'iPi’)- Since m = [loggE”^], e”'" < e. By Theorem 1, 
it is clear that the probability for an adversary to launch a successful e-residue 
attack against CEKEP is upper-bounded by £. 

In the protocol CEKEP, Alice proves to Bob in an interactive manner (via 
flow 2 and flow 3) that for every prime-power of the factorization of n, 
e™ I In the interactive procedure, however, only one decrypted message 

is sent from Alice to Bob. The communication overhead on Alice and Bob is 
greatly reduced in comparison with that in [27, 24, 9] . In CEKEP, the compu- 
tational burden on Bob includes two modulo exponentiations, i.e., m® mod n 
and (Aa®)® mod n, where m = ["loggE”^]. When e < e“^, each modulo ex- 
ponentiation has an exponent consisting of 0 (|’log 2 bits. The computation 

time for the two modulo exponentiations is 0 ( 2 (log 2 £“^)(log 2 n)^). If n, 

then the computational load on Bob is greatly reduced in CEKEP in comparison 
with that in PEKEP (or in SNAPI). The parameter e determines the compu- 
tational load on Bob. It also determines the level of security against e-residue 
attacks. In practice. Bob can make a trade-off between the computational load 
and the security level offered by the protocol. When e = 2“®°, for example. 
Bob needs to compute two modular exponentiation, each having an exponent 
of about 80 bits. In this case, the computational load on Bob is lighter than 
that in a Diffie-Hellman based password-authenticated key exchange protocol. 
In the Diffie-Hellman based EKE variant, for example. Bob needs to compute 
two modular exponentiation, each having an exponent of at least 160 bits. 



5 Formal Security Analysis 

In this section, we analyze the security of PEKEP and CEKEP within the formal 
model of security given in Section 2. Our analysis is based on the random-oracle 
model of Bellare and Rogaway [4] . In this model, a hash function is modeled as 
an oracle which returns a random number for each new query. If the same query 
is asked twice, identical answers are returned by the oracle. In our analysis, we 
also assume the intractability of the RSA problem. 

RSA Assumption: Let £ be the security parameter of RSA. Let key generator 
GE define a family of RSA functions, i.e., {e,d,n) ^ GE{1^), where n is the 
product of two primes of the same size, gcd(e, </>(n)) = 1 , and ed = 1 (mod 
4>{n)). For any probabilistic polynomial-time algorithm C of running time t, the 
following probability 

Adv(l®“(t) = Pr(a:® = c mod n : (e, d, n) ^ GE(l^), cG/j {0, 1}^, x<— C(l^, c, e, n)) 
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is negligible. In the following, we use Adv’^®“(t) to denote maxc{Adv^'*“(t)}, where 
the maximum is taken over all polynomial-time algorithms of running time t. 

Theorem 3. Let A be an adversary which runs in time t and makes Qsend, 
Qsend < \'D\, queries of type Send to different instances. Then the adversary’s 
advantage in attacking the protocol PEKEP is bounded by 

A I ake ^ Qsend Q/n i /'O/' {Q execute 4“ ‘^Qsend)Qoh\ 

AdV _4 < \-[Qexecute+oQsend)M\l ^ ), 

where Qexecute denotes the number of queries of type Execute and Qoh denotes 
the number of random oracle calls. 

We prove Theorem 3 through a series of hybrid experiments. In each ex- 
periment, we modify the way session keys are chosen for instances involved in 
protocol execution. We start by choosing random session keys (not output by 
random oracles) for instances for which the Execute oracle is called. We then 
proceed to choose random session keys for instances for which the Send oracle is 
called. These instances are gradually changed over five hybrid experiments and 
in the last hybrid experiment, all the session keys are chosen uniformly at ran- 
dom. Thus, the adversary A can not distinguish them from random. We denote 
these hybrid experiments by Pq, Pi, . . . , P4 and by Adv(^, Pi) the advantage of 
A when participating in experiment Pi. The hybrid experiment Pq describes 
the real adversary attack. For 0 < f < 3, we show that the difference between 
Adv(^, Pi) and Adv(^, Pi+i) is negligible. We bound the advantage of A in P4 
by Q.send/\D\ + £• Hence, the advantage of A in Pq (i.e., in the real attack) 
is bounded by Q.sendl\D\ + e. Due to lack of space, the proof of Theorem 3 is 
omitted and can be found in the full version of this paper [28] . 

It is easy to check that the protocol PEKEP satisfies the first condition of 
Definition 1. Theorem 3 indicates that the protocol PEKEP also satisfies the 
second condition of Definition 1 and hence is a secure password-authenticated 
key exchange protocol. Similarly, we can also show that the protocol CEKEP 
satisfies the two conditions of Definition 1. In summary, we have the following 
theorem 4. 

Theorem 4. Both protocols, PEKEP and CEKEP, are secure password authen- 
ticated key exchange protocols under the RSA assumption and the random oracle 
model. 

We notice that the random oracle model in Theorem 4 is less desirable than a 
standard cryptographic assumption. To avoid the random oracle model, we could 
use the proof technique of [12], which require a public-key encryption scheme se- 
cure against chosen-ciphertext attacks. Unfortunately, the most commonly used 
RSA schemes (e.g. [3, 7]) which are secure against chosen-ciphertext attacks are 
also based on the random oracle model. Nevertheless, it is encouraging to see 
that efficient password-authenticated key exchange protocols with security proof 
in the random oracle model can be constructed without severe restriction on the 
public key of RSA. 
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6 Conclusion 

In this paper, we investigate the design of RSA-based password-authenticated 
key exchange protocols that do not restrict the size of RSA public exponent. 
Based on number-theoretic techniques, we develop a Password Enabled Key 
Exchange Protocol (PEKEP) which can use both large and small primes as 
RSA public exponent. We show that the protocol PEKEP is secure against e- 
residue attacks. We also provide a formal security analysis of PEKEP under the 
RSA assumption and the random oracle model. Based on PEKEP, we develop 
a computationally-efficient key exchange protocol to mitigate the burden on 
communication entities. Both protocols, PEKEP and CEKEP, do not require 
public parameters; Alice and Bob only need to establish a shared password in 
advance and do not need to establish other common parameters such as a prime 
number p and a generator g of the cyclic group modulo p. This is appealing in 
environments where entities have insufficient resources to generate or validate 
public parameters with certain properties, e.g., primality. 
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Abstract. An authenticated group key exchange (AGKE) scheme al- 
lows a group of users in a public network to share a session key which 
may later be used to achieve desirable cryptographic goals. In the pa- 
per, we study AGKE schemes for dynamically changing groups in ad hoc 
networks, i.e., for environments such that a member of a group may join 
and/or leave at any given time and a group key is exchanged without 
the help of any central sever. Difficulties in group key managements un- 
der such environments are caused by dynamically changing group and 
existence of no trustee. In most AGKE schemes proposed so far in the 
literature, the number of rounds is linear with respect to the number of 
group members. Such schemes are neither scalable nor practical since the 
number of group members may be quite large and the efficiency of the 
schemes is severely degraded with only one member’s delay. We propose 
an efficient provably secure AGKE scheme with constant-round. The pro- 
pose scheme is still contributory and efficient, where each user executes 
three modular exponentiations and at most 0(n) XOR operations. 

Keywords: dynamic authenticated group key exchange, ad hoc net- 
works. 



1 Introduction 

Recently, secure and efficient AGKE protocols have received much attention with 
increasing applicability in various collaborative and distributive group settings 
such as multicast communication, audio- video conference, multiplayer game, etc. 
In addition to provable security, the recent researches in group key exchange have 
concentrated on the efficiency which is related to the costs of communication 
and computation. Especially the number of rounds may be of critical concern in 
practical environment where the number of group members are quite large and 
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a group is dynamic. As noted in [10], even in the case of a group where only few 
members have a slow network connection, the efficiency of the protocol with n 
rounds for a group of n members can be severely degraded. Furthermore, it is 
clear that a scheme with n rounds is not scalable. 

In the paper, we design a secure and efficient dynamic AGKE protocol for 
ad hoc networks [26]. Most group communication environments are dynamic, 
where users can join and leave a group frequently. In particular, many group key 
exchange protocols [1,7,20,23,25] have considered ad /loc networks, i.e., absent 
fixed infrastructure. IEEE 802.11 standards [18] includes as a component an ad 
hoc network environment such as IBSS (Independent Basic Service Set). Diffi- 
culties in designing a secure and efficient dynamic group key exchange scheme 
arise from the facts that a group key should be updated whenever a membership 
changes and exchanged without any trustee. 

1.1 Overview 

Related Work: The security models and provably secure protocols for au- 
thenticated static group key exchange have been first proposed by Bresson et al. 
[11], in which the security models have been based on the secure 2-party key ex- 
change models constructed by Bellare et al. [2, 5, 6]. Their scheme requires 0{n) 
rounds. 

Authenticated static group key exchange protocols with constant round have 
been proposed by Tzeng and Tzeng [24] and Boyd and Nieto [9]. In the protocol 
[24] with a fixed constant-round, however, the cost of communication is very 
high. Each member should compute n modular exponentiations for a group key 
exchange and additionally perform 3n modular exponentiations for authentica- 
tions, since non-interactive proof systems are used in the authentication process. 
Boyd and Nieto have proven the security of the protocol [9] in the random ora- 
cle model [4] . In [9] , group members consist of one member called initiator and 
other members called responders. While the responders only perform one signa- 
ture verification, one decryption in a public cryptosystem and one operation of 
one-way hash function, the initiator has a heavy burden caused by (n — 1) en- 
cryptions in a public cryptosystem and one signature generation. Furthermore, 
both of these protocols [9, 24] cannot provide forward secrecy. 

Katz and Yung have proposed a scalable authenticated static group key 
exchange protocol [19] which is based on [15] introduced by Burmester and 
Desmedt. Burmester and Desmedt’s protocol provides 2-round and more effi- 
cient computation rate of group members than previous protocols [9,24]; each 
member performs 3 modular exponentiations and -I- ^ — 3) modular mul- 
tiplications. However, Burmester and Desmedt’s protocol has not proposed any 
authentication method and any clear security proof. In [19], Katz and Yung pro- 
pose a scalable compiler which transforms a secure group key exchange protocol 
into a secure authenticated group key exchange protocol. The compiler preserves 
forward secrecy of an original protocol. As Katz and Yung adapt this compiler 
to Burmester and Desmedt’s protocol, they construct a 3-round authenticated 
static group key exchange protocol. Each member performs the same modular 
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computations as the protocol [15] and additionally performs 2 signature genera- 
tions and (2n — 2) signature verifications. The rate of modular exponentiations 
in [15, 19] is constant, but still the rate of modular multiplications is dependent 
on the number of group members. 

More recently, Bresson and Catalano have proposed a provably authenticated 
static group key exchange protocol with 2-round in the standard model [10]. 
The protocol is based on standard secret sharing techniques. The protocol is 
inefficient from a point of view of the computation rate. Each member should 
perform more than 3n modular exponentiations, 3n modular multiplications, n 
signature generations and n signature verifications. 

For dynamic groups, Bresson et al. improved the protocol [11] into dynamic 
group key exchange protocols in [12, 13]. However, Bresson et al.’s protocols do 
not have constant-round; in their schemes, each group member embeds its secret 
in the intermediate keying materials and forwards the results generated with the 
secret to the next group member. This makes the number of rounds in setup/join 
algorithms linear with respect to the number of group members. Though the 
number of rounds in leave algorithm is constant-round, for the constant-round 
leave algorithm all members should store data of which length is linear with 
respect to the number of group members. 

Bresson et al. [14] have introduced a provably secure authenticated group 
key distribution protocol with 2-round in the random oracle model [4], which 
is suitable for restricted power devices and wireless environments. They have 
concentrated on an efficient computation rate of a group member with a mobile 
device. In the protocol, however, there exists a base station as a trustee. The 
computation rate of the base station is similar to the maximum rate of group 
members in other protocols without any central server; n modular exponentia- 
tions, n signature verifications, n one-way hash function operations, and n XOR 
operations. 

Our Contribution: We propose a 2-round dynamic AGKE protocol with- 
out using any trustee. All legitimate members can also detect errors and stop 
execution the protocol instantly, if invalid messages are broadcasted by cor- 
rupted members. For dynamic group communications, we propose setup, join, 
and leave algorithms with 2-round. In the setup algorithm, each group member 
performs at most 3 modular exponentiations, 4 one-way hash function opera- 
tions, and n XOR operations. Since the operation dependent on the number of 
group members is the XOR operation, the total cost of computations can be 
highly reduced, compared to the previous protocols. For authentication, each 
group member generates 2 signatures and performs 2n signature verifications: 
this computation rate is similar to other AGKE protocols using secure signa- 
ture schemes [19]. Our join/leave algorithms are executed for generations of new 
session keys, whenever some members join or leave. Simply, setup algorithms of 
static constant-round AGKE protocols can be performed, whenever group mem- 
bership changes. In our join/leave algorithms, however, the communication rate 
and the total computation rate of group members are dependent on the number 
of joining/leaving members. Therefore our joining/leaving algorithms are more 
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efficient than the setup algorithms with the rates dependent on the number of 
total members, when the number of joining/leaving members is smaller than 
the number of remaining group members. With reduced round complexity, our 
protocol is still contributory, in our protocol, each member can participate in 
the generation of a group key with a one-time random value without any trust 
party. 

In Table 1, we show efficiency analysis between our protocol and Bresson et 
al.’s dynamic AGKE protocol (Bresson(Dyn)) [13]. While the number of round 
in Bresson(Dyn) is depending on the number of group members, the proposed 
scheme is of constant round without degrading efficiency. However, our protocol 
cannot avoid the number of verification operations per each member increasing 
as like other authenticated group key exchanges [19,24]. Our further research is 
to decrease or fix the number of verification operations. The following efficiency 
measures, Round, Communication, Message and Computation are similar to the 
measures defined by Katz and Yung in [19]. 

— Storage: the storage rate of a member. 

— Round: the number of rounds during the execution of protocol. 

— Comm.: the maximum number of bits that a member sends during the exe- 
cution of protocol. 



Table 1. The analysis of efficiencies 



1 Protocol 


Bresson(Dyn) 


Our Protocol 


1 Storage 


Secret-|p , Non Secret-N p 


Secret-3 h-| 


Setup 


Round 


N 


2 


Comm. 


N|p| + K| 


Ipl +3|(i| +2\^\ 


Mess. 


0(v2)|p| + JVKI 


0(AT)(|p| + |fc| + kl) 


Comp. 


Ne + s + u 


3e -1- 4/i -1- (AT -b l)a; + 2s + 0(N)v 


Join 


Round 


o(vp 


2 


Comm. 


(N + iVp|p| + |.t| 


Ipl +3|h| +2l<rl 


Mess. 


+ o(Nj)k| 


0(Nj)(lhl + IpI + Kl) 


Comp. 


( N + Nj ) e + 2 s + Nj v 


3e -1- 4A -1- (Nj + l)x + 2s + 0(Nj)v 


Leave 


Round 


1 


2 


Comm. 


(N - iVf)|p| + |.t| 


IpI -b 3\h\ + 2|<t| 


Mess. 


(N - iVj,)|p| + |.t| 


Vfipl + (JV + Nf)(|fc| + kl) 


Comp. 


(N - N^)e + s 


3e -b 4A (N -b 1)® -b 2s -b -b N)v 



Notations of Tablet; jo-j-the length of a signature, j/ij-the output size of a hash 
function, jpj-the length of a prime number p where p is an order of a cycle group G; 
N-the number of members, Aj-the number of joining members, A^-the number of 
leaving members; s-the cost of a signing operation, w-the cost of a verifying operation, 
e-the cost of a modular exponentiation, /i-the cost of a hash function operation, x- 
the cost of a XOR operation. Note that \h\ < \p\ may be satisfied in general. We do 
not consider the post computation rates in our protocol. 
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— Mess.-, the total length of all bits transmitted during the execution of proto- 
col. 

— Comp.: the maximum computation rate of a member during the execution 
of protocol. 

2 The Model 

In this section we present a security model for a dynamic AGKE protocol based 
on [11, 12] by Bresson et al. and [19] by Katz and Yung. 

Participants. A nonempty set U is a set of users who are able to participate in 
an AGKE protocol V. Each user generates secret/public key pairs (sk,pk) and 
the list of all public keys are known by all users. These key pairs are long-lived 
and used for signature generation/verification. An adversary is not a participant, 
but can control all communication on a network and corrupt group members. 

Partnering. Whenever group membership changes, a new group G„ = {u\, • • • , 
Un} is formed and each group member of Gy can obtain a new session key sky 
through an instance performing V: the index v increases whenever group mem- 
bership changes and Gq denotes the initial group. II-l . denotes an instance j 
of a group member Ui. An instance has unique session identifier sid:^. and 
partner identifier pid:^^. . After the group key exchange protocol V has been termi- 
nated successfully, II^. has a unique session key identifier sk^. corresponding to 
the session key sky. pid:^. corresponds to a set of group members G^. = G„\{ui}. 
When the group key exchange protocol V has been successfully terminated in 
the instance 11^., each member Uk of G{^. has an instance 11^'“^ {i. < k ^ i < n) 
containing {sidi^^ , pid« , sk^J such that sid^^ = sid^., pid« = G„ \ {uk} 
and ski'j_ = sk^.: we state that the instances iPy. and 11^'“^ are partnered [19]. 

Protocol Model. A dynamic AGKE protocol V consists of the following algo- 
rithms: 

— Key Generation: With an input value 1^ where k is a security parameter, 
this probabilistic polynomial time algorithm outputs a long-lived key for 
each user of U. 

— Setup(Go): This algorithm starts the protocol V and the initial group Go is 
generated. 

— Join{J , G„_i): Inputs to this algorithm are a set of joining members’ identi- 
ties denoted by J and the current group Gy-\. The output of this algorithm 
is a new group G„ = G„_i U J and all members of G„ share a new session 
key sky secretly. 

— Leave{TZ, Gy-i): Inputs of this algorithm are a set of leaving members’ identi- 
ties denoted by TZ and the current group G„_i. The output of this algorithm 
is a new group Gy = Gy-i\TZ and all members of Gy share a new session 
key sky secretly. 
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Security Model. We define the capabilities of an adversary. We allow the 
adversary to potentially control all communication in the network via access 
to a set of oracles as defined below. We consider an experiment in which the 
adversary asks queries to oracles, and the oracles answer back to the adversary. 
Oracle queries model attacks which an adversary may use in the real system. 
We consider the following types of queries in this paper. 

— Send (11:^., m): A sends a message m to an instance Il{.. When Il{. receives 
TO, it responds according to the group key exchange protocol. An adversary 
may use this query to perform active attacks by modifying and inserting the 
messages of the key-exchange protocol. Impersonation attacks and man-in- 
the-middle attacks are also possible using this query. 

— Setup(Go), Join(fL, G„_i), Leave(7?., G^_i): Using these queries, A can start 
the Setup, Join or Leave algorithm. 

— Reveal(ni ): A can obtain a session key sk which has been exchanged be- 
tween the instance Lt;^. and partnered instances, while Ui’s long-lived key are 
concealed. This query models known key attacks (or Denning-sacco attacks). 

— Corrupt(ui): A can obtain Wj’s long-lived key. In our protocol, we consider 
adaptive corruptions [22]; in general, adaptive corruptions mean weak cor- 
ruptions in which an adversary can obtain an honest member’s long-lived 
key, but cannot obtain the member’s “ephemeral” keys. 

— Test(niJ: This query is used to define the advantage of an adversary. A 
executes this query on a fresh instance 11^. at any time, but only once (other 
queries have no restriction). When A asks this query, it receives a session 
key sk of the instance 11^. if 6 = 1 or a random string if 5 = 0 where b is the 
result of a coin flip. Finally, A outputs a bit b' . 

To define a meaningful notion of security, we must first define freshness. 

Definition 1. An instance 11^. is fresh if both the following conditions are true 
at the end of the experiment described above: 

(a) None of the instance Ilf. and its partnered instances has received an adver- 
sary’s Reveal query. 

(b) No one of Ui and other members in Gf. has received an adversary’s Corrupt 
query before adversary’s Send queries. 

Let 7^ be a group key exchange protocol and let A be an active adversary 
against V. When A asks a Test query to a fresh instance Af. in V, A receives the 
result of the coin flip b which is either a session key or a random value and then 
outputs a bit b' . If the probability that A correctly guesses the bit b is negligible, 
V is secure in the sense that A cannot obtain any information about a session 
key through re-keying broadcast messages. Let Advf^'ff denote the advantage 

for A’s guess over the result of a coin-flip in a Test query with V. Then, Adv°^^ 
is defined as follows. 

Advf^^^X = Pr [b' = 1|6 = 1] - Pr [&' = 1|& = 0] = 2 Pr [b' = b] - 1. 

We say that V is a, secure AGKE if Advf^^^ = m.^{Advlp^} is negligible. 
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For the security of authentication, we consider the ability of A for imper- 
sonation attacks against a group member Ui in an instance 11:^^ [11]. For imper- 
sonation attacks, A should be able to forge a signature of the group member 
Ui in the instance 11^.. If it is computationally infeasible that A generates a 
valid signature with any message under a chosen message attack, we say that 
the signature scheme is CMA-secure. Let S = (/C,5, V) be a signature scheme 
where /C,5 and V are key generation, signing and verification algorithms. For- 
mally, let be a success probability of ^’s existential forgery under a 

chosen message attack against S. Then, we state that S is CMA-secure [21] if 
= nmx{S'ucc^_^} is negligible. 

Let G = {g) be a group. Given g^ and g^ , CDH problem is to compute a 
value g^'^ [17]. For the CDH problem, we consider a probability Sucd^^ such 
that 

Succl^^^ = Pr [C = g^y\g^,g'^ ^ G; C ^ A{g\gy )] , 

SucCq^ = Ta^{Succ^^ 

where M is a CDH attacker against a group G. 

3 A Constant-Round AGKE Protocol 

Our protocol is based on the Computational Diffie-Hellman (CDH) assumption 
and a secure signature scheme S = (/C,5, V). A group key space belongs to 
{0, 1}^ where ^ is a security parameter. Let G = {g) be a cyclic group of prime 
order p. g and p are public parameters and £ < \p\ is satisfied. Let H : {0, 1}* ^ 
{0, 1}^ be a one-way hash function. 

Key Generation. Each user Ui of U has a private/public key pair 
for signing/verifying. The list of public keys is published to all users. 

Setup. Let Go = {ui, • • • , m„} be an initial group. We consider a ring structure 
among the members of Gq, i.e., members’ indices could be considered on the 
circulation of {1, • • • , n}. L{i) {R{i), resp.) means the left (right, resp.) index of 
i on the ring for i G {1, • • • , n}. Let /q = 7D„J| • • • Figure 1 shows the 

example of this algorithm with four members. 

— Round 1. Each member Ui randomly chooses ki G {0,1}^ and Xi G Z*, 
computes yi = g^' and keeps ki secretly. The last member computes 
7t(fc„||0). Each member Ui generates a signature a} = Ssk^- (-^/ll^oIjO) where 
Ml = for 1 < t < n — 1 and Ml = 7t(fc„||0)||j/„, and broadcasts Ml\\aj. 

— Round 2. All members receive (M/| |ct|)’s and verify a}’s. If some signatures 
are not valid, this process fails and halts. Otherwise, Ui computes tf = 
^(yL(i)ll^o||0), tf = H(y)^(^)||/o||0) and generates Ti = tf 0 tf. The last 

member additionally computes T = 0 Each member Ui generates 

af = (M)^||/o|| 0) and broadcasts Mf\\al where Mf = ki\\Ti for 1 < i < 

n — 1 and Ml = T||T„. 
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Go - {m,U2,'U3,U4}, lo - ID,,^\\IDu.A\IDu^\\IDu^ 

Ui U2 U3 U4 




Session Key sko = 'W(fci||fc2||fc3||fci||0) 
Post-Computation 

/if = W(5^X(0^i||5fco||0), hf = n(g^^(^^^‘\\sko\\0), X = ^^(fc4||5fco||0) 
h{, /if, X hi, h^, X /if, /if, X /if, /if, X 



Fig. 1. Setup algorithm with Go = {«i, M 2 , Ms, 114 } 



— Key Computation. Session Key Computation: All members verify 
signatures erf s. If all signatures are valid, Ui computes iff ,, iff 2 j ’ ’ ' > 

(= i?') by using tf : 



7R 

'-i+l 



= Ti 



i+l ' 



ifl TR 



+ K _ rp 
'-i+2 — -Tj 



i+2 ' 



.JR 
’ rj+1) 



— T’ 



,JR 

^ '•i+(n-2)- 



Finally Ui can check iitf = tf holds. Even though wrong messages (or no 
message) are broadcasted by illegal members or system faults, honest mem- 
bers can notice the errors through the above check process and then halt the 
protocol. However, it is not easy to find who transmitted illegal messages. 
When members want to find illegal members, all members participating in 
this protocol should reveal their secret values Xi’s. If the above check process 
has been valid, all members have (= tf). Then they can obtain from T 
and check if 7f(fc„||0) = 7t(fc„||0) holds. Note that Key Control can be guar- 
anteed by this check value and the one-way hash function 7i. All members 
compute a session key like as 

sko = 'H{ki\\k 2 \\- • • ||A:„_i||fc„||0). 

Post-Computation: Each member Ui generates hf = 7f(j/2(.j||sfco||0), 
/if = |sfco||0) and X = H{kn\\sko\\0) and saves (/if , /if , A, sfco) 

secretly. All members should erase other ephemeral data. 

Join. Let G„_i = {mi, • • • , m„} (v > 1) be the current group and Jk = {m„+i, • • • , 
Un+n'} {n' > 1) be a set of new members. We divide G„_i into three parts 
{mi}, {u 2 ,‘‘- and {u„}, and consider U 2 as an agent of {u 2 ,--- 

For convenience of explanation, we allow that Un+n'+i, Un+n '+2 and Un+n '+3 
denote ui, U 2 and Un- In this algorithm, we consider a ring structure among 
the members ,ti„+n'+ 3 - Let Q be the set ,Un+n'+ 3 } and 

ly = IDuiW ■ ■ ■ . Figure 2 shows the example of this algorithm. 
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Xh Xh Xh 7/. Vr. ih 

(Af.A^.V) .V) (h^.h^.X) 'V) 




Sessiuu Key sk„ — 'K(A'ft||^||fet||A:i||Ar4||<'') 



FuKt-Cuitipii lalkm 

/.f - lu). A- . «(t,||/.Av||l,-) 

h',\ X X X /if. A' /ii', /if, A /if /if, A 

(Af . Af . A) (Af A'', A) ( Aj , Af , A) (Af , Af ! A) (A/ , Af , A) ( Af , Af ! A) 

Fig. 2. Join algorithm with Gv-i = {ui,U2,U3,U4} and Jj = { 1 / 5 , Me} 

— Round 1 . Each member Un+i of Q randomly chooses kn+i G { 0 , 1 }^ and 

Xn+i € Z*, computes j/„+i = g^"+* and keeps kn+i secretly. The member 
Un+n'+2 (= U2) computes yn+n'+2 = 9 ^ by using the secret value X instead 
of Xn+n'+2 and the member Un+n'+^ (= Un) computes (/c„+„'+3| |f). Each 
member Un+i generates (7^^ = where = yn+i 

for 1 < z < n' + 2 and = T-L{kn+n'+3\\v)\\yn+n'+z, and broadcasts 

— Round 2 . All members receive |(jyj)’s and verify cr^+j’s. Each mem- 
ber Un+t computes = H(z/^";^!^.)||/„||z;) and 

generates T„_|_j = 0 The member additionally computes 

f = kn+n' +z®t^+n' + 3 - Each member Un+i generates 

/„||z;) and broadcasts where = kn+i\\Tn+i for 1 < z < 

n' 0 2 and = T||T„+„'+3. All members of {zz3, • • • , Mn_i} compute 

t^+„i+2 and t^+„i+2 by using A. 

— Key Computation. Session Key Computation: All members verify 

(Xn+i’s- If all signatures are valid, each member Un+i computes • • • , 

t'^+i+„i_i(= t^+i) by using and checks if holds. Also, the 

members U3, • • • , m„_i can check it by using and t^_|_„i_|_2. Finally all 

members can obtain kn+n'+i from T and compute a new session key sky as 
follows: 

sky+i = H{kn+l\\ ■ ■ ■ \\kn+n>+3\\v)- 

Post-Computation: Each new member Un+i (1 < z < n') generates = 

= 'H{y'"^(^]_.^\\sky\\v). m and zz„ respectively 
compute hi = ’H{y^]i_y^,\\sky\\v) and = 7t(z/^;j:3||sA:^||z;) instead of the pre- 
vious value hi (= /z^). All members compute a new value X = 7 t(A:„||sfc„||z;). 
Each member m saves hf,hf^,X and sky secretly. 
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Leave. Let G„_i = {mi, M 2 , • • • , w„} be the current group and TZ = {ui^ - • • , 
ui^„} with {/i, • • • , /„"} C {1, 2, • • • , n} be a set of revoked members. Let Af{TZ) 
beaset of all left/right members of revoked members, i.e.,Af{TZ) = 

• • • , For generating a new group G„ = G^_i \TZ with a new ses- 

sion key Sy, a new Diffie-Hellman value should be shared between two mem- 
bers uij-i and (1 < j < n"). In this algorithm, we consider a ring 

structure among members of G„ and we newly index the members as Gy = 
{ui,U 2 , ■ • • ,Un-n"}- Let ly = Figure 3 shows the example 

of this algorithm. 



Gv-t — {Ml - n-.i, U4. ws, »«}. 71 — {un, 1/5}, 






Vi 

A’) 



V* 



Ur. 




SoH-iion Kpv ftk,. = |A-6||f) 



Po^t-Cnmp»itation 

/it = W(;it[|sfc,.||tO, />/' ■Hf/itlln/t,. |c). -Y = W(A-o||sfc„||<’) 



/if. /i','. X 



>4. li{‘. X 



14. hi‘. X 



hj;. li‘J. X 



Fig. 3. Leave algorithm with G„_i = {wi, U2, Ms, «4, Ms, Me} and TZ = {m3,ms} 



— Round 1. Each member of Af{TZ) randomly chooses G {0, 1}^ and 

Xyy G Z*, computes t/w = g®” and keeps kw secretly. The member m /^,,+1 
computes 7f(fc/^„+i||M). Uyj generates a^y = (M^| |/„| |u) where = 

yy, withw G - l,li -I- 1, - • • ,ln" ~ 1} andM,^^„^;^ = T-L{ki^„+i\\v)\\yi^„+i, 
and broadcasts M^||cri,. 

— Round 2. All members of Gy verify signatures cr^’s. If all signatures are 

valid, each member (resp. of A/"}??.) regenerates 

(resp. ^^+1 = Then each member Ui of Gy computes = 'H{hk\\Iy\\v), 

tf = H{hf\\Iy\\v) and Ti = tf (B if. The member additionally 

computes T = ki ^,,+1 © Each member Ui generates a signature 

o'i = Ssku.{Mi\\Iv\\v) and broadcasts Mflja? where Mf = T||T/^„+i, 
Mf = ki\\Ti for other members except m/„„-i-i of Af{TZ) and Mf = Ti for 
members of Gy \M{TZ). 
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— Key Computation. Session Key Computation; All members verify sig- 
natures erf’s. If all signatures are valid, each member Ui computes 
■ ■ ■ ; (= ti) by using tf . Finally, each member m checks iitf = tf 

holds. Then all members computes a session key as follows: 

sky = H{ki^-i\\ki^+i\\ ■ ■ ■ \\ki^„_i\\ki^„+i\\v). 

Post-Computation: Each member m regenerates hf = ||sfc„||v), 

hf = Ti.{hf\\sky\\v) and X = Ti.{ki^i,+i\\sky\\v) and saves X and 

the session key sky secretly. 



4 The Security 

In this section, we prove the security of our protocol in the random oracle model. 



4.1 Security Proof 

The security of our protocol V is dependent on the probabilities Succ‘^^°‘ and 
Sued^^, since an adversary A against V can obtain information about a ses- 
sion key only by two methods: A successfully performs either signature forgery 
attacks or CDH attacks. Even if random values kiS were selected identically in 
different instances, A could not get any information about a session key because 
of the index v and the random hash oracle Ti.. Our proof method is similar to 
that in [14]. 

Theorem 1. Let A he an active adversary against our protocol V in the random 
oracle model. Let qs he the number of Send queries and qn he the number of 
queries to the hash oracle H. Then, 

Adv^^^ < 2n ■ SucdfT°'{t, qs) + 2qnq^ • Succ^'^{t) 

where n is the maximum number of group members and t is the adversary’s 
running time. 

Proof. We consider ^’s attacks as a sequence of simulated protocols, which is 
denoted by a sequence of games {Gameo, • • • , Games}. In each game, A executes 
Test query and get a result of a coin flip b. Each Succ^ denotes an event in which 
^’s a guessing bit b' is equal to b in each Game^. Each Game^ is simulated as 
follows: 



Gameo: This game is equal to the real protocol V. All group members obtain 
a pair of valid signing/ verifying key and randomly choose kfs and xfs. In this 
game, .4’s advantage is equal to the advantage in the real protocol V. Thus, 



Pr [Succo] 



Adv^^’X + 1 
2 



( 1 ) 



Gamei: In this game, we consider a special event SigForge in which A executes a 
Send query with a message to instead of a group member Ui in an instance Af. 
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and the message is verified and accepted by all group members. In particular, the 
message m previously has not been used in any instances and a Corrupt(Mj) query 
has not been executed to the member ttj. When the event SigForge occurs, this 
game halts and ^’s output b' is determined randomly. The difference between 
^’s outputs in games Gameo and Gamei is dependent on the event SigForge. 
That is, 



|Pr [Succi] — Pr [Succq]| < Pr [SigForge] . 

If one correctly guesses a member impersonated by A and the event SigForge 
occurs to the member, one can be suceessful in the existential forgery against a 
pair of signing/verifying key under CMA. Therefore we know that 

Succ'^£^{t, qs) > ^ Pr [SigForge] . 

Finally, we get 

|Pr [Succi] — Pr [Succq] | < Pr [SigForge] < n ■ Suaf^%{t, qs) (2) 

Game2: In this game, a Diffie-Hellman triple {A = g“, B = g^,C = g°'^) is given. 
Whenever two successive members Ui and should choose random values Xi 
and Xi+i and compute yi = g^* and t/i+i = g ^*+^ , we simulate this game with 
yi = and yi+i = where Ci and Cj+i are random values in Z*. Then a 

hash value tf (= tf^i) is computed by using We know that this game 

is equal to Gamei as long as Cj and c^+i are selected randomly. Therefore, 

Pr [SUCC2] = Pr [Succi] (3) 

Games: In this game, a pair {A = 5“, B = g^) is given and there is no information 
about the Diffie-Hellman value C = g°“^ . Whenever two successive members Ui 
and Mj+i should choose random values Xi and Xi+\ and compute yi and yi+i, 
we simulate this game like Game2. However, when Ui or Wj+i should broadcast 
a message with a hash value tf (= tf^i), a random value r in {0, 1}^ is used as 
the hash value. Now, we consider an event Flash in which A detects the fact that 
the broadcasted hash value tf (or tfl|_i) is incorrect by using A’s hash oracle 
queries. This event is possible when A sends a correctly guessing value 
to the hash oracle H and receives a hash value. At that time, A recognizes that 
the value is different from the previous random value r. When the event Hash 
occurs, this game is halted and A’s output b' is randomly chosen. Therefore, 

|Pr [SUCC3] — Pr [Succ2]| < Pr [Hash] . 

Given (A, B) one can obtain a valid Diffie-Hellman value C if both of the 
following situations occur; (1) two successive members compute yi = and 
j/i+i = and use a random value r as & hash value tf , (2) A executes a 

hash oracle query with a correctly guessing value after (1), i.e., the event 

Hash occurs. Therefore 



Sued, 



cdh 



aW > ^ 



Pr [Hash] . 
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Finally, we get 

|Pr [Succs] — Pr [Succ 2 ]| < Pr [Hash] < qnq^ • Succq ^^I) (4) 

Furthermore, A has no advantage for guessing a coin-flip bit b in this game 
since the hash oracle Ti. has been supposed the random oracle and each input of 
the hash oracle is used only once owing to the index v. Therefore Pr [Succs] = 

From the above results, the theorem is proved. □ 



4.2 Forward Secrecy of AGKE Protocol 

For a secure group key exchange protocol, forward secrecy is one of essential 
security requirements. Forward secrecy means that the compromise of one or 
more members’ long-lived keys should give no information for the compromise 
of any earlier session key. 

In an AGKE protocol, a member’s long-lived key is the member’s signing key 
for authentication. Most dynamic AGKE protocols have considered an adversary 
with weak corruption ability and have guaranteed forward secrecy for a mem- 
ber’s signing key. Bresson et al.’s protocols [12, 13] have offered forward secrecy 
for a member’s signing key. However, another secret value of a member (really, 
it is an exponent) is as important as a signing key. If a member’s exponent is 
revealed, earlier session keys can be revealed as well as later session keys. Fur- 
thermore, unless a member is a leader of a group, the member’s secret exponent 
key never changes from joining to leaving. Therefore the secret exponent should 
be definitely considered as a long-lived key, even though the value is saved in a 
smart card. Also, in Bresson et al. [14], forward secrecy for a member’s signing 
key can be guaranteed, but forward secrecy for a member’s Diffie-Hellman value 
cannot be guaranteed: a member’s Diffie-Hellman value is never changed until 
the member leaves. Therefore this value should be also considered as a long-lived 
key. 

In our AGKE protocol, a member secretly keeps a signing key as a long- 
lived key and three hashed values as short-lived keys: every time a session key is 
changed, member’s short-lived keys are also changed. In the paper we consider 
and prove forward secrecy for member’s long-lived key, but our protocol also 
guarantees forward secrecy for member’s short-lived keys. When an adversary 
obtain some members’ short-lived keys, it can obtain later session keys, but 
cannot obtain previous session keys easily. Therefore our protocol can guarantee 
forward secrecy against an adversary with strong corruption capability [22] in 
which an advasary can obtain a member’s short-lived key as well as the member’s 
long-lived key. 

5 Conclusion 

We have proposed an efficient and secure constant-round AGKE protocol for 
dynamic groups in the random oracle model. We note that each membership 
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change in dynamic group could be handled by running other constant round 
static AGKE protocols from scratch. But our Join and Leave algorithms are 
more efficient than Setup algorithms of other constant round AGKE protocols 
for static groups when the number of joining/leaving members is smaller than the 
number of remaining group members. Hereafter, research in a provably secure 
constant-round AGKE protocol for dynamic groups under standard assumptions 
should be studied. 
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Abstract. We propose a public-key traitor tracing scheme in which (1) 
the size of a ciphertext is sublinear in the number of receivers and (2) 
black-box tracing is efficiently achieved against self-defensive pirate de- 
coders. When assuming that a pirate decoder can take some self-defensive 
reaction (e.g., erasing all of the internal keys and shutting down) to es- 
cape from tracing if it detects tracing, it has been an open question 
to construct a sublinear black-box traitor tracing scheme that can de- 
tect efficiently at least one traitor (who builds the pirate decoder) with 
overwhelming probability, although a tracing algorithm that works suc- 
cessfully against self-defensive pirate decoders itself is known. In this 
paper, we answer affirmatively the above question by presenting a con- 
crete construction of a public-key black-box tracing scheme in which the 
known tracing algorithm can be used while keeping the size of a cipher- 
text sublinear. 

Keywords: Public-key traitor tracing. Black-box tracing. Self-defensive 
pirates. 



1 Introduction 

Consider content distribution (e.g., pay-TV) in which digital contents should be 
available only to subscribers. A data supplier broadcasts an encrypted version 
of the digital contents (e.g., a movie) to subscribers, and only subscribers can 
decrypt them with their decryption keys given in advance. In this application, 
malicious subscribers may redistribute their decryption keys to non-subscribers. 
This piracy is serious since it allows the non-subscribers to have illegal access to 
the contents. 

To prevent the piracy, traitor tracing [3] has been studied extensively. In 
traitor tracing, each subscriber is given a distinct decryption key {personal key) 
which is contained in a decryption device {decoder) , and the data supplier broad- 
casts both the contents encrypted with a session key and the encrypted session 
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key {header). The subscribers can obtain the session key (and consequently the 
contents) by inputting the received header to their decoders. In this scenario, 
malicious subscribers {traitors) may give away their personal keys to a pirated 
version of a decoder {pirate decoder) . Once the pirate decoder is found, at least 
one of the traitors who join the piracy can be identified from it. A traitor trac- 
ing scheme discourages traitors from committing the piracy since the confiscated 
pirate decoder can be traced back to its producers. 

Among traitor tracing schemes, our interest is in a black-box tracing scheme 
in the public-key setting. In black-box tracing, a tracer does not break open 
the pirate decoder but uses it as a black box. Briefly, the tracer chooses a set 
of suspects and tests whether traitors are included in it only by observing the 
behavior of the pirate decoder on chosen inputs. Since traitors can be identified 
no matter how the pirate decoder is implemented, it is desirable to support 
black-box tracing. In the public-key setting, there are one or more public keys 
and subscribers can decrypt the header by using their personal keys. Since no 
secret information is needed to build the header and to execute the tracing 
algorithm, anyone can work as a data supplier and/or a tracer. This property is 
desirable as well because of the following two reasons: (1) it enhances the sender- 
scalability in the sense that plural data suppliers can use the same system and (2) 
it provides public verifiability of the tracing result, which is a stronger deterrent 
to the piracy. 

As a public-key black-box tracing scheme, the schemes of [7,2] are known. ^ 
While these are efficient in the sense that the size of a personal key is constant 
and that of a header is linear only in the maximum number of traitors in a 
coalition, the running time of the tracing algorithm is exponential in the max- 
imum coalition size, hence impractical. The convergence time for the tracing 
algorithm is improved to be practical in the schemes of [5,9] by integrating the 
mechanism of revocation of any number of subscribers into black-box tracing. 
However, if it is assumed that a pirate decoder can take measures (e.g., it erases 
all of the internal keys and shuts down once it detects tracing) that might escape 
from tracing, tracing is impossible since the identities of suspects are revealed 
in the inputs for black-box tracing. In this paper, we consider this type of pirate 
decoders. 

1.1 Our Result 

We explain our contribution by comparing previous schemes against self-defen- 
sive pirate decoders with ours. (See Table 1.) As mentioned above, in the scheme 
of [2, 8] the tracer can only do black-box confirmation in which the number of 
suspects examined in one test has to be limited to k, where k is the maximum 
coalition size. Therefore, the black-box confirmation algorithm needs to be exe- 
cuted on all of the possible (^) sets of suspects in the worst case, where n is the 
total number of subscribers. This results in an impractical tracing algorithm. 
Note that there is a trade-off between the running time of the tracing algorithm 



The scheme of [7] is improved in [10, 8]. 



1 




262 



T. Matsushita and H. Imai 



Table 1. Summary of our result (n: the total number of subscribers, k: the maximum 
coalition size, c: a constant (0 < c < 1)) 





Personal- 
key size 


Header size 


# of sets of suspects 
required for tracing 


Type of tracing 


[2,8] 


0(1) 


0{k) 


© 


Black-box confirmation 


[6] (c = 1/2) 


0(1) 


0(Vh) 


y/n 


Black-box list-tracing 


Ours (fc = x/n/S) 


0(1) 


0(Vh) 


n 


Black-box tracing 



and the transmission overhead. For instance, if we set k = n — 1, then the number 
of sets of suspects required for tracing is reduced to n, but the size of a header 
is linear in n, hence inefficient. It has been an open question to obtain a traitor 
tracing scheme with both practical black-box tracing and sublinear header size, 
as pointed out in [2]. 

In [6], a partial solution to this question is presented by introducing a re- 
laxation idea called as list-tracing in which the output of the tracing algorithm 
is a set of suspects, i.e., a suspect list, and it is guaranteed that at least one 
traitor is included in it. The scheme of [6] is based on that of [4] and achieves 
both practical black-box list-tracing and sublinear header size. Unfortunately, 
this approach incurs another trade-off between the size of the suspect list and 
that of a header. In order to reduce the header size the suspect list needs to be 
larger, but the probability that the tracer detects a traitor correctly is in inverse 
proportion to the size of the suspect list, if the tracer attempts to identify the 
traitor only from the suspect list. 

In this paper, we solve the open question without the list-tracing approach. 
By applying the key-generation method of [9] to the scheme of [8], a sublinear 
public-key black-box tracing scheme against self-defensive pirate decoders can be 
obtained. Note that the improvement we achieve is not in the tracing algorithm 
itself but in a concrete construction of a public-key black-box tracing scheme in 
which the known tracing algorithm that can identify at least one traitor with 
overwhelming probability from the self-defensive pirate decoder can be used 
while keeping the size of a header sublinear. 

The rest of the paper is organized as follows. In Sect. 2, the assumptions on the 
pirate decoder are described. We propose a sublinear public-key black-box tracing 
scheme in Sect. 3. The proposed scheme is analyzed in terms of security and effi- 
ciency in Sect. 4 and Sect. 5, respectively. We present our conclusions in Sect. 6. 



2 Assumptions on Pirate Decoders 

Let a valid input denote a header for the normal broadcast and an invalid input 
denote a header for black-box tracing. In this paper, we make two assumptions 
on the pirate decoder. 

Assumptions 1. The pirate decoder can take measures that might escape from 
tracing if it detects tracing. 
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In Assumption 1 the pirate decoder outputs the correct plaintext only when 
it gets a valid input or an invalid input which is indistinguishable from a valid 
one. If the pirate decoder detects that it is examined in the tracing process, it 
will evade tracing by, e.g., erasing all of the internal keys and shutting down. As 
well as such self-defensive reaction, the pirate decoder can take aggressive coun- 
termeasures (e.g., crashing the host system or releasing a virus) as described in 
[6]. Note that (1) for simplicity we assume that the reaction is triggered deter- 
ministically, i.e., it is activated once the pirate decoder detects tracing and (2) 
our scheme can be easily extended to the general probabilistic case. In order 
to identify efficiently traitors from the pirate decoder with the reaction mech- 
anism, it is necessary that a tracing algorithm can decide at least one traitor 
immediately when the reaction is triggered. 

Assumptions 2. The tracer can reset the pirate decoder to its initial state each 
time the tracer gives the input to it. 

Assumption 2 means that each test during black-box tracing can be done 
independently. We do not consider the pirate decoder that records the previous 
inputs submitted by the tracer and reacts based on its record. 

The pirate decoder assumed in the paper can be viewed as a type-2 pirate 
decoder categorized in [6] . 

3 Proposed Scheme 

First, we describe an outline of the proposed scheme. Secondly, an explicit con- 
struction of our scheme is shown. 

3.1 Outline 

Our scheme consists of the four phases. 

Key Generation: A trusted party generates and secretly gives every subscriber 
a distinct personal key. The personal key is stored in the decoder. 

Encryption: The data supplier encrypts (1) the contents with the session key 
and (2) the session key itself as a header. Then, the data supplier broadcasts the 
encrypted contents and the header. To avoid complication, we assume that (1) 
a symmetric encryption algorithm used for encryption of the contents is secure 
and publicly known and (2) a broadcast channel is reliable in the sense that the 
received information is not altered. 

Decryption: When receiving the header, subscribers compute the session key 
(and consequently the contents) by inputting it to their decoders. 

Black-Box Ttracing: Suppose that the pirate decoder is confiscated. In the 
jth test, the tracer chooses a subscriber, Uj, and builds the header in which the 
subscribers, ui, . . . , Uj, are revoked and the others are not, where mi, . . . , Uj-i 
has been selected in the (j — l)th test. The tracer inputs this header to the pirate 
decoder and observes whether it decrypts correctly or not. If its output is (1) 
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correct on the input where a set of revoked subscribers is X and (2) incorrect 
on the input where a set of revoked ones is XU{u}, then the tracer decides that 
the subscriber, u, is a traitor. 

3.2 Protocol 

Let n be the total number of subscribers and k be the maximum number of 
traitors in a coalition. Let p, q be primes s.t. q\p — 1 and q > n + 2k — 1. Let g 
be a gth root of unity over Z* and Gq be a subgroup of Z* of order q. Let U be 
a set of subscribers {U C Zg\{0}). All of the participants agree on p,q, and g. 
The calculations are done over Z* unless otherwise specified. 

Key Generation: The key-generation method is similar to that of [9]. Split U 
into ^ disjoint subsets Uq, . . . Mi-i- These subsets are publicly known. Choose 
oo, . . . , a 2 fc-i, bo, , be-i €r Z^. Then, compute the public key e as follows: 

e = (ffj 2/0,0) ■ • • ) 2/0, 2fc-i) 2/1,0) • ■ • ) Vi.e-i) 

Suppose that u G Ui. The subscriber u’s personal key is (u,i,fi{u)) where 

2fc-l 

fi{u) = ^ aiju^ mod q, 

j=o 

_ ( Uj (j yf i mod 2k), 

(j = zmod2fc). 



Encryption: Select the session key s Gr, Gg and random numbers Rq, Ri Gr Z^. 
Build the header H = {Hq, . . . ,Hi-i) by repeating the following procedure for 
0 < z < £ - 1. 

— Set ri = Rq or i?i, and compute Hi as follows. 

Hi — (^Z) ^z,0) ■ ■ ■ ) ^z,2fc— l)) 

k = g^\ 

{j^i mod 2k), 

1 s/Ziy (j = zmod2fc). 

Note that all of the subscribers in Ui can be revoked by replacing with 
g^' where Zi Gr Z^ is a random number. 



Decryption: Suppose that u € Ui. The subscriber u can correctly compute the 
session key s from Hi as follows. 



{ (^*.0 X /z“i X • • • X /z“2l-i) / 









0 X Vop X • • • X y^). 



x --- x 2 / s : 2 COA "^‘^“1 



1/u^ 



f i mod 2k 

= s 9 



E 2k — 1 „ ^ ■ 

x_0 






1/u^ 
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Black-Box Tracing: The black-box tracing algorithm is based on that of [8]. 
The difference is that while in [8] suspects must be narrowed down to k sub- 
scribers before the execution of black-box confirmation, in ours no such prepro- 
cessing, which runs in exponential time, is needed. The inputs of the tracing 
algorithm are Uq, . . . ,Ui-i and the pirate decoder, and the output is a traitor’s 
ID. 

For simplicity, we assume that \Uq\ = ••• = \Ue,-i\ = 2k, I = n/2fc, 2fc|n. 
Label all of the elements in as follows. 

Uo = {Ui, . . .,U2k}, 

Ul = {U2k+1, ■ ■ ■ , U4fc}, 



kle-1 = {Un-2k+l, • ■ • , Un}- 

For 1 < j < n, repeat the following procedure. 

— Set ctrj = 0 and then repeat the following test m times. In each test, the 
session key s and random numbers Rq, Ri are chosen randomly. 

1. Set T = {ui, . . . ,Uj} and build the header H = {Hq, . . . , H^-i) by 
repeating the following procedure for 0 < i < £ — 1. The same notations 
are used as in the encryption phase and a random number €r is 
selected randomly in each time. 

- If there exists a subset Ut {0 < t < i — 1) s.t. T n yf 0 and 
X nUt Ut, then first, suppose that Ut\X = {x\, . . . ,Xw} and 
choose 2k — w — 1 distinct elements x^+i, ■ ■ ■ , X 2 k-i €r Zg \ U 
{0}) when 2k — w — 1 > 0. Secondly, find co,...,C 2 fc-i G Zg s.t. 

= 0 >aiod (7 for 1 < a < 2fc — 1. Finally, compute Ht as 

follows. 



ht = g^\ 

h . 9‘'^yo,l U + t mod 2k), 

I (j = t mod 2k). 

For i ^ t, set rt = Rt) ii X (^Ui = 0. Otherwise {X (^Ui = Ui), set 
Ti = Rq or i?i. Then, compute Hi as follows. 



(j yf i mod 2k, n = Rq), 

(j yf i mod 2k, ri = Ri), 

(j = i mod 2k, X DUi = 0), 
(j = i mod 2k, X DUi = Ui). 



hi = g''\ 

yRo 

yo,j 

h --i 



Ro 

syi,i 



Otherwise (T n = 0 or T n for any i). Hi is the same as 

in the encryption phase. 
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2. Give H to the pirate decoder and observe its output. 

3. If it decrypts correctly, then increment ctrj by one. (If a self-defensive 
reaction is triggered, then decide that the subscriber Uj is a traitor.) 



Finally, find an integer j G {1, . . . , n} s.t. ctrj-i — ctrj is the maximum and 
then decide that the subscriber Uj is a traitor, where ctro = m. 



4 Security 

The security of our scheme is based on the difficulty of the Decision Diffie- 
Hellman problem (DDH) [1]. Informally, the assumption that DDH in Gq is 
intractable means that no probabilistic polynomial-time (p.p.t. for short) algo- 
rithm can distinguish with non-negligible advantage between the two distribu- 
tions (91,92,9^,92) and {91,92,91,92) where gi, 92 Gr Gq and a,b Gr Zq. We 
call a 4-tuple coming from the former distribution as a Diffie-Hellman tuple. Let 
^DDH ^ p.p.t. algorithm which solves DDH in Gq. For two p.p.t. algorithms 
AIo, All, we mean by Ado Adi that the existence of Ado implies that of Adi 
and by Ado Adi that Ado Adi and Adi Ado. 

4.1 Indistinguishability of a Session Key 

Theorem 1 (Indistinguishability of a Session Key). When given a header, 
the computational complexity for the non-subscribers to distinguish the session 
key corresponding to the header from a random element in Gq is as difficult as 
DDH in Gq. 

Proof. Let be a p.p.t. algorithm the non-subscribers use to distinguish 

between the session key corresponding to the header and a random element in 
Gq. We prove that Ad)^‘®‘ Ad°°^. First, it is clear that Ad°°^ Ad)^'®*. 

Secondly, we show that Ad°°^ by constructing Ad°°^ using Ad)^‘®* as 

a subroutine. The construction of Ad^^^ is as follows. 

Algorithm 1 (P.p.t. Algorithm Ad*^*^^). 

Input: a challenge 4-tuple, ( 51 , 52 , 53 , 54 )- 
Output: “Diffie-Hellman tuple” or “Random tuple.” 

Step 1. Choose a set of subscribers U (C Zg\{0}) and split U into f disjoint 
subsets Uo, . . . ,Ut-i. For 0 < i < £—1, 0 < j < 2/c— 1, choose random numbers 
9,Xi,aj Gr Zq and compute the public key e = ( 51 , 5 “°, . . . , 5 “^'““\ 5 j'’, . . . , 
g'^f-^) where g'(* = g^'glf. 

Step 2. Select the session key s Gr Gq and a random number r Gr Zq. Compute 
the header H = (Hq, . . . , H^-i) by repeating the following procedure for 0 < i < 
i-1. 
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— Set = 0 or 1 and compute Hi as follows. 



Hi ■ ■ ■ 5 ^Z,2fc— l); 

u BiV 

— 9l 53 ) 

f Bir 

[9l 53 ) 

s(5f^'-53)"' (52''^’'54)' 



hij — 



(j yf i mod 2k) , 
{j = i mod 2k) . 



Observe that if the challenge 4-tuple is a Diffie-Hellman tuple, the session 
key corresponding to the header is s. Otherwise, it is a random element in Gq. 
Step 3. Give s,H,e to If decides that s is the session key corre- 

sponding to H, then output “Diffie-Hellman tuple.” Otherwise, output “Random 
tuple.” Since behaves differently for session keys and random elements in 

Gq, can solve the given DDH challenge. This completes the proof. □ 



4.2 Black-Box Traceability 

Recall that valid and invalid inputs denote headers for the normal broadcast and 
those for black-box tracing respectively. In our tracing algorithm subscribers in 
X are revoked in invalid inputs. The following three lemmas are used to prove 
black-box traceability of our scheme. 

Lemma 1 (Indistinguishability of an Input). The computational complex- 
ity for any coalition of k non-revoked subscribers to distinguish a valid input 
from an invalid one is as difficult as DDH in Gq. 

Proof. Let C be a set of k non-revoked subscribers in a coalition and be a 
p.p.t. algorithm the coalition C uses to distinguish a valid input from an invalid 
one. We prove that for any C with T n C = 0, \C\ = k. First, it 

is clear that for any C with T n C = 0, \C\ = k. Secondly, we 

show that for any C with T n C = 0, |C| = fc by constructing 

.^DDH ygjj^g 2 ?dist ^ subroutine. The construction of is as follows. 

Algorithm 2 (P.p.t. Algorithm 

Input: a challenge 4-tuple, ( 51 , 52 , 53 , 54 )- 
Output: “Diffie-Hellman tuple” or “Random tuple.” 

Step 1. Choose a set of subscribers U (C Zg\{0}) and split U into t disjoint sub- 
sets Uq, . . . Select a set of revoked subscribers X (ff-U) with a condition 

that there is at most one subset Ui (0 < i < f — 1) s.t. Ui^X Ui^X ^ Ui. 
Then, choose a set of k colluders C s.t. A n C = 0. 

Step 2. Suppose that C = {xi, . . . ,Xk\- Choose k—1 distinct elements x^+i , . . . , 
a^ 2 fc-i Gr '^q\C and random numbers Pi, , Pk, A, /i, ^pt^ Wt Gr Zg for fc -|- 1 < 
t < 2fc — 1. Then, there exists a unique polynomial a{x) = mod q 

s-t. 9i° = 9 i92 and 
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(a(a;i), . . .,a{x2k-i)V = (/?i! • • ■ ,/32fc-i)’’" 

= (ao, . . . ,ao)'’" + V{ai, . . .,a 2 k-i)'^ mod q, 

9i=9tgT {k+l<t<2k-l), 



where 



V = 






T , T.2fc-1 

^X2k-1 ■ ■ ■ •^2fc-l / 



mod q. 



Since V is the Vandermonde matrix, we obtain 

(ai,..., a 2 k-i)'^ = V~^(/3i - ao,..., /? 2 fc-i - mod q. 

Let (vm,i, . . . ,Vm, 2 k-i) be the mth row of V~^. For 1 < m < 2k — 1, am is 
represented as follows. 



C^^m — Q^o) “t“ * * * “t“ 'Cm,2fc— 1 (/^2fc — 1 Q^o) 

= Vm,lPl H 1- Vm,2k-ll32k-l ~ O.o{vm,l H h Wm, 2 fe-l) mod q. 

Therefore, is calculated as follows. 

a,n Vni,101^ \-Vm,2k-l92k-l / / A |-^'m,2fc-l 

9i — 9i j \9 i92) 

Suppose that Xj G Ui^ (1 < j < k, ij G {0,...,^ — 1}) and define J = 
{l|1 ^ j ^ k, Xj G Ui^}. Choose random numbers Gr for 0 < i < 

and 6i^ Gr Zg for all ij's in J . Then, there exists a unique element 7 i^ G Zg for 
each ij G J s.t. 



— kij 7q- ctq- mod 2k (l G iV), 
91=9^92^ {o<i<e-i). 



We plan to compute the subscriber Xj ’s personal key {xj , ij ,dj) as follows. 



dj = a{xj) + 6t,x) 



od 2k 



= «0 + OilXj H 



mod 2k 



+ • • • + 0^2k-l^ 



2k-l 



ii mod 2k 



To satisfy dj = fij{xj) where / is the key-generation function defined in 
3.2, the coefficients oq, . . . , a 2 fc-i are represented as follows. There are at least 
k elements in {0, . . . , 2/c — 1} \ {ij mod 2k\ij G J{ and we can select k such 

elements 9i, . . . ,9)^. Then, compute • • • , <7i s.t. 



6I^,} 

9i 



O',- . X ■■ 

= 9i 



mod 2fe 



/ Si- OLi- mod 2fc / bi- \ 

[9i 9i' /9i) 



mod 2k 



(1 < J < k). 
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Finally, compute (0 < m < 2fc — 1) and build the public key e. 

(to G {6»i,...,6»fe}), 



Step 3. Select the session key s Gr and a random number r Gr Zg. Build the 
header H = (iJo, • ■ • by repeating the following procedure for 0 < i < 



e-1. 



— li Ui f] X = 0, set Bi = 0. If Gi n df = Ui, set = 0 or 1. Otherwise 
{Ui n df 0, Uif} X ^ Ui), set Bi = 1. Then, compute Hi as follows. 



II 

o 


, hi^2k-i 


0, 




h-\ 


'9\ {Bi 


= 0), 






ill — \ 


, 53 {Bi 


= 1), 








/ a^r 

9i 


(j ^ * 


mod 


2k, Bi 


~ ^ 


Qj 7 

53 

biV 

S9i 


(j * 

(j = * 


mod 

mod 


2k, Bi 
2k, Bi 




A, Ui 

553 54 


(j = * 


mod 


2k, Bi 


aj 1 




{J ^ {0 


1 , . . . 




93 ^ i 


[sVsf 


{j e {0 


1 , . . . 





0 ), 

1 ), 

0 ), 

1 ), 



53 



'f'Vj,k0k 

53 



2k-l 

n {steT)”‘ / (nisi) 



where 



(Xq 

..,53 are computed from the following system of equations. 



Z]xe{6li flfe} 

53 





mod 2fc 



(1 < z < k). 



Observe that if the challenge 4-tuple is a Diffie-Hellman tuple, iJ is a valid 
input. Otherwise, it is an invalid one in which the k colluders in C are not 
revoked. 



Step 4. Give H, e, (a;i, ii, di), . . . , {xk, ik, dk) to If decides that H is 

a valid input, then output “Diffie-Hellman tuple.” Otherwise output “Random 
tuple.” Since behaves differently for valid inputs and invalid ones, 
can solve the given DDH challenge. 

Since C with df n C = 0, \C\ = k can be chosen arbitrarily in Step 4.2, it 
holds that for any C with df n C = 0, \C\ = k. This completes 

the proof. □ 



Lemma 2 (Secrecy of a Session Key in an Invalid Input). When given 
an invalid input, the computational complexity for any coalition of k subscribers 
revoked in the invalid input to compute the session key corresponding to the input 
is at least as difficult as DDH in Gq. 
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Proof. Let C be a set of k colluders revoked in the invalid input and At be 
a p.p.t. algorithm the coalition C uses to compute the session key corresponding 
to the input. Let be a p.p.t. algorithm the coalition C uses to distinguish 

the session key corresponding to the input from a random element in Gq. We 
prove that Af“™^ Ad°°^ for any C with CCA, \C\ = k. 

Since it is clear that Ate'*** can be constructed by using Af™™^ as a subrou- 
tine, it holds that for any C with CCA, \C\ = k. Therefore, 

we show that Adq'*** Ad^^^ for any C with CCA, \C\ = k by constructing 

A^ddh ygjjjg _/\/{dist gg ^ subroutine. The construction of is as follows. 

Algorithm 3 (P.p.t. Algorithm 

Input: a challenge 4-tuple, (51,52,53,54)- 
Output: “Diffie-Hellman tuple” or “Random tuple.” 

Step 1. Choose a set of subscribers U (C Zg\{0}) and split U into t disjoint sub- 
sets Uq, . . . Select a set of revoked subscribers X {QU) with a condition 

that there is at most one subset Ui (0 < i < f — 1) s.t. UiC] X ^ UiHX ^ Ui. 
Then, choose a set of k colluders C s.t. C C A. 

Step 2. Suppose that C = {x\, . . . ,Xk\- Construct the personal key (xjGj,dj) 
given to the subscriber, Xj G Ui^, and the public key e = (51, 5““, . . • ,5i^*"”\ 
g^°, . . . , by executing the same procedure as in Step 4.2 of Algorithm 2. 

Step 3. Select the session key s Gr Gq and random numbers r, a;, y Gr Zg. Build 
the header H = {Hq, . . . , by repeating the following procedure to compute 

dli — (^2, ^z,o, ■ ■ ■ , for 0 C ? C f 1. 

— If A n Zdi = 0, then compute Hi as follows. 




hi^j 



53' ’' ^ (j yf * mod 2 /c), 

5(53 '94') (j = imod 2 A:). 



— If A C\Ui = Ui, then set = 0 or I and compute Hi as follows. In each 
time, a random number Zi Gr Zg is selected randomly. 



~ _\9l (R. = 0), 

= (jV*mod2fc), 

l5i' (j=imod2fc). 



where if there exists a subset Ut {0 < t < £ — 1) s.t. X nUt yf 0 and 
X nUt Ut, then 



K3 = 




{B, = 0), 

{B. = 1 ). 
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Otherwise {X HUi = ^ or X nUi = Ui for any i), 



K 



9 s 

{gfgir 



{Bi = 0 ), 
{Bi = 1 ), 



— If X C\Ui yf 0 and XfMAi ^Ui, then first, suppose that Ui\X = {u\, . . . ,Uw} 
and choose 2k — w — 1 distinct elements u^+i, • ■ • , U2fc-i Gr Zq\{U U {0}) 
when 2k — w — I >0. Secondly, find cq, . . . , C 2 k-i Gr s.t. ^j'^a = 

0 mod (7 for 1 < a < 2fc — 1. Finally, compute Hi as follows. 



r gV {glglT' U + * mod 2fc), 

I S9i {glglf" (5254)''' (i = * mod 2k). 



In this procedure, is computed as in Step 4.2 of Algorithm 2. Observe 
that if the challenge 4-tuple is a Diffie-Hellman tuple, s is the session key corre- 
sponding to H. Otherwise, it is not. 

Step 4. Give s, H,e,{xi,ii,di), . . . ,{xk,ik,dk) to Ale'’**- If decides that 

s is the session key corresponding to H, then output “Diffie-Hellman tuple.” 
Otherwise output “Random tuple.” Since behaves differently for session 

keys and random elements in Gq, can solve the given DDH challenge. 

Since C with CCA, \C\ = k can be chosen arbitrarily in Step 4.2, it holds 
that A4^‘®* for any C with CCA, \C\ = k. This completes the proof. 

□ 



Lemma 3 (Indistinguishability of a Suspect). The computational complex- 
ity for any coalition of k subscribers to distinguish (1) an invalid input in which 
a given subscriber other than the k ones is not revoked from (2) an invalid one 
in which the subscriber is revoked is as difficult as DDH in Gq. 

Sketch of Proof. Due to space limitation, we describe a sketch of the proof. 
Let C be a set of k colluders. Let be a p.p.t. algorithm the coalition C uses 
to distinguish an invalid input in which the given subscriber is not revoked from 
an invalid one in which the subscriber is revoked. Similarly in the proofs of the 
other lemmas, we construct A4^^^ using as a subroutine. 

Algorithm 4 (P.p.t. Algorithm 

Input: a challenge 4-tuple, (51,52,53,54)- 
Output: “Diffie-Hellman tuple” or “Random tuple.” 

Step 1. Choose a set of subscribers U (C Zg\{0}) and split U into £ disjoint 
subsets Uo, . . . Mt-i- Select a set of k colluders C and one subscriber u Gr Z^\C. 
Suppose that u G Ut, Ui D X = Ui for 0 < i < t — 1, and n A = 0 for 
t-|-l < i < £ — 1. There are three possible relations between Ut and A: (1) 
Utf^ X Utj Ut 12 X ^ tb both when u ^ X and m G A, (2) Ut 2 X = (j) when 
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X, and UtC] X = {u} when u G X, (3) Ut C\ X = Ut \ {«} when u ^ X, and 
Ut X = Ut when u G X. 

Step 2. Suppose that C = {x\, . . . ,Xk\- Construct the personal key {xj,ij,dj) 
given to the subscriber, Xj G and the public key e = (<7i, <7i“, • • • 

. . . , by executing the same procedure as in Step 4.2 of Algorithm 2. 

Step 3. Build the header H in which (1) if the challenge 4-tuple is a Diffie- 
Hellman tuple, the subscriber u is not revoked and (2) otherwise, the subscriber 
u is revoked, in each case. The construction of H is similar to that in Step 4.2 
of Algorithm 3. 

Step 4. Give u, H, e, (xi,ii,di), . . . , {xk,ik, dk) to Since behaves dif- 

ferently for invalid inputs in which the subscriber u is not revoked and invalid 
ones in which the subscriber u is revoked, can solve the given DDH chal- 
lenge. □ 

From Lemma 1, Lemma 2, and Lemma 3, it follows that the next theorem 
holds. 

Theorem 2 (Black-Box Traceability). In the proposed scheme, from the pi- 
rate decoder constructed by a coalition of at most k traitors, at least one of them 
can he identified with probability 1 — e where e is negligible. 

Proof. Recall that ctrj (0 < ctrj < m) denotes the number of times of observing 
that the pirate decoder decrypts correctly the input in which X = {t6i, . . . , Uj}, 
i.e., the subscribers u\, . . . ,Uj are revoked. Define j = 0 if A = 0, i.e., the input 
is valid. It is clear that ctr^ = m. From Lemma 2, it holds that ctr„ = 0 with 
overwhelming probability. From the triangular inequality, it follows that there 
exists an integer j G {1, . . . ,n} s.t. ctrj-i — ctrj > m/n. If the subscriber Uj is 
not a traitor, ctrj-i — ctrj <C m/n since it follows from Lemma 3 that the pirate 
decoder cannot distinguish an invalid input in which X = {ui , . . . , Uj-i} from an 
invalid one in which X = {ui , . . . , Uj} with non-negligible advantage. Therefore, 
the subscriber Uj is a traitor with overwhelming probability if ctrj-i — ctrj is 
the maximum. 

Next, consider the case where the reaction mechanism is activated. From 
Lemma 1, no such reaction is triggered as long as A n C = 0 where C denotes a 
set of the colluders. Therefore, if the reaction is triggered in the input in which 
A = {ui , . . . ,Uj}, it holds that {ui , . . . , Uj}{^C yf 0. In this case, if the subscriber 
Uj is not a traitor, the pirate decoder must have taken the reaction in the previous 
input in which A = {mi, . . . , Uj-i} since it follows from Lemma 3 that the pirate 
decoder cannot distinguish an invalid input in which A = {mi, . . . ,Uj} from an 
invalid one in which A = {■ui, . . . ,Uj-\\ with non-negligible advantage. Hence, 
if the reaction is triggered in the input in which A = {mi, . . . , Uj}, it holds that 
the subscriber Uj is a traitor with overwhelming probability. □ 

Note that our scheme can be easily applied to the case where the pirate 
decoder takes the reaction in a probabilistic way. 
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5 Efficiency 

In Table 2, the previous schemes and ours are compared from the viewpoints 
of each subscriber’s storage, the transmission overhead, the number of sets of 
suspects required for tracing, the detection probability, and the computational 
cost for decryption. The scheme of [2] is omitted since its efficiency is almost the 
same as that of [8] in the above criteria. We suppose that the standard ElGamal 
encryption scheme is straightforwardly used in the scheme of [6] . 



Table 2. Efficiency comparison {V, S, Ti: sets of possible personal keys, session keys, 
and headers respectively, n: the total number of subscribers, k: the maximum coalition 
size, c: a constant (0 < c < 1), e: negligible probability) 





Each subscrib- 
er’s storage 

(log|P|/log|5|) 


Transmission 

overhead 

(log|H|/log|5|) 


# of sets 
of suspects 
for tracing 


Detection 

probabil- 

ity 


# of exp.’s 
for decryp- 
tion 


[8] 


1 


2k + 1 


m 


1 — e 


0{k) 


[6] 


(l-c)-i 


(l-c)-ini-" 






0((l-c)-i) 


[6] (c = 1/2) 


2 


2^/n 


^/n 


l/Vn 


0(1) 


Ours 


1 


4fc -|- n/2fc -|- 2 


n 


1 — s 


0(fc) 


Ours (fc = \/n/8) 


1 


2^2n-|-2 


n 


1 — e 


0(Vh) 



In the scheme of [6], the size of a personal key is determined by a constant 
c (0 < c < 1) selected when initializing the system. In the other schemes, the 
size of a personal key is constant. In the scheme of [8], the efficient transmission 
overhead which is linear only in k is achieved where k is the maximum coalition 
size. However, the scheme of [8] can only support black-box confirmation in which 
only k suspects can be tested in one confirmation. Therefore, the tracer needs 
to execute the confirmation algorithm on all of the possible (^) sets of suspects 
at the worst case, where n is the total number of subscribers. Since the number 
of sets of suspects required for tracing is directly affected to the running time 
of the tracing algorithm, the scheme of [8] is impractical from this viewpoint. 
On the other hand, in the scheme of [6] and ours the number of sets of suspects 
required for tracing is drastically reduced and hence the practical convergence 
time for tracing is achieved. 

In the scheme of [6], the output of the tracing algorithm is the list of suspects 
in which at least one traitor is included with overwhelming probability. If the 
tracer attempts to identify the traitor only from the suspect list, the probability 
that the tracer correctly detect the traitor is n“°, since the list size is n^. Due 
to its combinatorial construction, there is a trade-off between the transmission 
overhead and the detection probability in the scheme of [6]. The value of c 
which gives the smallest header size and detection probability at the same time is 
c = 1/2 and in this case the header size is 0{y/n) and the detection probability is 
1 / y/n. Although the sublinear header size is achieved in the scheme, its detection 
probability becomes smaller as n gets larger. 
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In our scheme, efficient black-box tracing is achieved without the above list- 
tracing approach, i.e., there is no such trade-off. The header size is linear in k 
and the number of subsets of subscribers. Especially, if we set k = y/n/8, the 
header size is where we assume that the size of each subset is 2k. The 

tracer can identify at least one traitor with overwhelming probability, regardless 
of n. By applying the key-generation method of [9] to the scheme of [8], our 
scheme enables the tracer to make it impossible for the revoked subscribers to 
compute the session key by substituting a random value for the element used 
only by the subscribers in one of the i disjoint subsets if all of them in the subset 
are revoked. This helps to remove the restriction of the number of suspects in 
the previous schemes with black-box confirmation and hence efficient black-box 
tracing without sacrificing the detection probability is achieved. On the value of 
m, which is the number of repetition times of the test in the tracing algorithm, 
it is shown in [6] that at least one traitor can be identified with overwhelming 
probability if m = O(n^log^n). By using this result, it can be said that the 
running time of the tracing algorithm is 0(n^ log^ n). 

The main differences between the scheme of [6] and ours are the detection 
probability and the computational cost for decryption. While in the scheme of [6] 
the detection probability gets smaller as the value of n increases, in our scheme 
it is independent of n and always overwhelming. On the other hand, the scheme 
of [6] is efficient from the viewpoint of the computational cost for decryption. In 
the previous scheme, only a few exponentiations are needed, while the number of 
exponentiations required for decryption is 0{k) in ours. This can be alleviated 
by using a technique of vector-addition chain exponentiation [11, p.622]. 



6 Conclusions 

In this paper, we have proposed a sublinear public-key black-box tracing scheme 
against self-defensive pirate decoders. This can be viewed as a solution to the 
open question to build a sublinear traitor tracing scheme that supports efficient 
black-box tracing against self-defensive pirate decoders with negligible probabil- 
ity of error. 
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Abstract. We present a batch version of Schnorr’s identification scheme. 
Our scheme uses higher degree polynomials that enable the execution 
of several Schnorr’s protocol at a cost very close to that of a single 
execution. We present a full proof of security that our scheme is secure 
against impersonation attacks. 

The main application of this result is a very efficient way for a party to 
prove that it holds several secret keys (i.e. identities), where each identity 
is linked to a specihc authorization. This approach protects the privacy of 
the prover allowing her to prove only the required set of authorizations 
required to perform a given task, without disclosing whether she is in 
possession of other privileges or not. 

We also show that our scheme is suitable to be implemented on low- 
bandwidth communication devices. We present an implementation of a 
smart card employing recent technology for the use of LEDs (Light Emit- 
ting Diodes) for bidirectional communication. Another contribution of 
our paper is to show that this new technology allows the implementation 
of strong cryptography. 



1 Introduction 

Identification, also known as entity authentication, is a process by which a ver- 
ifier gains assurance that the identity of a prover is as claimed, i.e. there is 
no impersonation [MOV97, Sch96]. An identification scheme enables a prover 
holding a secret key to identify itself to a verifier holding the corresponding 
public key. 
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The primary objectives of an identification protocol are completeness - in 
the case of honest parties the prover is successfully able to authenticate itself to 
the verifier, and soundness - a dishonest prover has a negligible probability of 
convincing a verifier. 

There are various grades of dishonesty and corresponding levels of security. 
The goal of the adversary is to impersonate the prover. As per the standard se- 
curity framework [FFS88], the adversary is allowed various attacks on the honest 
prover, which complete before the impersonation attempt. A typical requirement 
of identification protocols is that they be secure against impersonation under 
passive attack, where the adversarial prover has access to transcripts of prover- 
verifier interactions. A stronger requirement is that protocols be secure against 
active attacks where the adversarial prover can actively play the role of a cheat- 
ing verifier with the prover numerous times before the impersonation attempt. 
Security against impersonation under active attack has been the traditional goal 
of identification schemes. 

However, in recent times interest has been growing in still stronger attacks, 
e.g. concurrent attacks. In these attacks, just like with active attacks the ad- 
versarial prover gets to play the role of cheating verifier prior to impersonation 
with the key distinction that the adversary is allowed to interact with multiple 
honest prover clones concurrently [FFS88]. 

It is very important to keep in mind that, in the real world, identification 
protocols provide assurances only at the instant of time when the protocol is 
successfully completed. It is therefore important to ensure that the identifica- 
tion process is tied to some form of ongoing real-world integrity service. At some 
level all identification schemes are vulnerable to the adversary who cuts in im- 
mediately after the successful identification of the legitimate party. 

Zero-knowledge Protocols. A paradigm introduced in [FFS88] to construct 
identification protocols, is to construct zero-knowledge proofs of knowledge. These 
are protocols which allow a prover to demonstrate knowledge of a secret while 
revealing no information whatsoever other than the one bit of information re- 
garding the possession of the secret [GMR85, FFS88]. 

A protocol is said to be honest-verifier zero-knowledge if it is zero-knowledge 
when interacting with honest verifiers. An honest- verifier zero-knowledge proto- 
col has a weaker security guarantee than a general zero-knowledge protocol since 
it is possible that a dishonest verifier can extract information from the prover in 
the former protocol. 

However, when used as identification schemes, the ultimate measure of the 
worth of a protocol lies in its security against impersonation attempts and a 
protocol that is secure against impersonation against concurrent attacks is con- 
sidered to be ’’secure” even if it is “only” honest- verifier zero-knowledge. This 
happens if one is able to show that whatever information is leaked to the dis- 
honest verifier, it does not help him in any impersonation attack. 

Schnorr in [Sch91] presents such a protocol, based on the hardness of comput- 
ing discrete logarithms. The details are described in the body of the paper, but 
here we just remark that Schnorr’s protocol is an honest-verifier zero-knowledge 
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proof of knowledge of a discrete logarithm. Recently Bellare and Palacio in 
[BPa02] showed that under a slightly stronger assumption on the security of 
discrete logarithms, Schnorr’s protocol is a secure identification scheme against 
concurrent attacks. 

1.1 Authorization 

Authorization is the conveyance to the verifier that the prover, has the sanction 
to gain access to a particular resource set, or belongs to a certain privilege class. 
Authorization may be effected by the proving of one or of multiple identities. 

Consider now the following access control scenario. Users of a given system 
belong to various privilege classes. Access control classes for the data are defined 
using these privileges, i.e. as the users who own a given subset of privileges. For 
example the access control class for a given piece of data D, is defined as the 
users who own privileges P\, P 2 , P^. 

A way to implement such an access control system is to give each user a certi- 
fied public key. The certificate would indicate the subset of privileges associated 
with this public key. Then in order to gain access, Alice performs an identifica- 
tion protocol based on her public key, and if her privileges are a superset of the 
ones required for the access she is attempting, access is granted. 

There are several drawbacks with this approach. But the main one is a blatant 
violation of Alice’s privacy. Whenever Alice proves her identity she reveals all 
her privileges, when, theoretically, in order to gain access she should have had 
to reveal only a subset of them. 

It is clear that there are situation which warrant a privacy-preserving au- 
thorization mechanism, in which Alice can gain access by proving she owns the 
minimal set of required privileges. 

This can be done by associating a different public key to each privilege. Then 
Alice would prove that she knows the secret keys required for the authorization. 
Using typical proofs of knowledge, like Schnorr’s, to prove knowledge of k keys 
the user has to perform k proofs. Although these proofs can be performed in 
parallel, keeping the round complexity the same, the computational complexity 
goes up by a factor of k. 

Thus an interesting question is if it is possible to perform a proof of knowledge 
of d secrets at the cost of less than d proofs. We answer this question in the 
affirmative (see below). 

Another advantage of associating different keys to different privileges, is that 
the latter can be easily transferred simply by transferring the corresponding 
secret key. 

1.2 Our Contributions 

We present a hatch version of Schnorr’s protocol. In our scheme the prover can 
prove knowledge of d secret keys (discrete logarithms), at a cost slightly superior 
to the cost of a single Schnorr’s protocol, thus saving a factor of d in computa- 
tion and bandwidth over the best previously known solutions. We use degree d 
polynomials to represent an ordered list of d identities. We show that the result- 
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ing scheme is not only honest- verifier zero-knowledge, but that it is also a secure 
identification scheme against impersonation under concurrent attacks [BPa02]. 

This immediately yields a very efficient privacy-preserving authorization mech- 
anism along the lines described in the previous section. 

Finally, in order to showcase the efficiency of our proposal we present an 
implementation in a very low-bandwidth environment. We use recently proposed 
technology to use Light Emitting Diodes (LEDs) as bi-directional communication 
devices. We believe that another interesting contribution of our paper is to show 
that this new technology is robust enough to implement strong cryptographic 
solutions. 

1.3 Related Work 

Besides the works cited above [GMR85, FFS88, Sch91], another widely used 
protocol for identification is the one proposed by Guillou and Quisquateur in 
[GQu88]. This scheme is more efficient than Schnorr’s and very suitable to low- 
power computation devices. When proving multiple identities simultaneously, 
our batch technique makes the advantage of using GQ over Schnorr’s disappear 
very quickly. Indeed only for very small values of d (the number of identities 
being proven), d parallel executions of GQ beat our batch Schnorr protocol in 
efficiency^. It would be interesting to devise a batch version of the Guillou- 
Quisquateur protocol, but we were not able to do so. 

In any case, when comparing our scheme with running d Guillou-Quisquateur 
schemes, one should remember that the GQ scheme is based on a different as- 
sumption (RSA inversion) than the Schnorr’s protocol. 

Our new identification scheme is related to the concept of batch verifica- 
tion of signatures [BGR98]. As far as we know there has not been any work on 
batch verification for identification protocols. A straightforward application of 
the techniques in [BGR98] to our problem would yield a much less efficient pro- 
tocol. Moreover, the mathematical techniques we use are fundamentally different 
than the ones in [BGR98]. 

Recently the area of privacy-preserving protocol has received a lot of atten- 
tion. We refer the reader especially to the works by Gamenisch and Lysyanskaya 
[GLOl, GL02], where the concept of group signature is used to show how a user 
can prove membership in a certain privilege class, without revealing her true 
identity. These solutions offer a very strong privacy guarantee, as a user can 
safely prove his privileges to various verifiers, who would not be able to link 
her various transactions. On the other hand our solution does not protect the 



^ Jumping ahead, assume we perform Schnorr’s scheme, with parameters p, q such 
that \p\ — 1024 and |g| = 160. Then one execution of the protocol costs about 
240 multiplications for the prover (i.e. one exponentiation modp, with a 160-bit 
exponent). On the other hand, if we perform the GQ scheme over a 1024-bit RSA 
modulus, using a small public exponent (like 3), and security parameter 80, then the 
prover’s cost is about 80 multiplications. Thus GQ is approximately 3 times as fast 
as Schnorr’s. Which means that for d > 3, i.e. when proving more than 3 identities 
simultaneously, our batch Schnorr protocol becomes more attractive than GQ. 
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identity of the user, but simply allows her to prove the minimal set of privileges 
required for a given transaction. But if verifiers collude they can link the user’s 
transactions and reconstruct the set of privileges she holds. For example if Alice 
proves to Bob that she belongs to privilege class PI, and to Charles that she 
belongs to the P2 class, it is possible for Bob and Charles together to understand 
that Alice holds both PI and P2 privileges. On the other hand our solution is 
much simpler and more efficient that solutions based on group signatures, thus 
it could be preferable in a scenario in which collusion is not really a problem. 
Moreover some of our batching techniques can be used to speed-up solutions 
based on group signatures (since there, the proof of possession of several keys is 
a subprotocol). 



2 Preliminaries 

In this section we recall the basic definition of proof of knowledge, the compu- 
tational assumptions that we are going to need, and Schnorr’s protocol. In the 
following the acronym PPT stands for “probabilistic polynomial-time” . 

2.1 Proofs of Knowledge 

Polynomial Time Relationships. Let 7^ be a polynomial time computable 
relationship, i.e. a language of pairs {y, w) such that it can be decided in polyno- 
mial time in \y\ if (y,w) G TZ or not. With C-jz we denote the language induced 
by i.e. Cn = {y ■ : {y,w) G 7^}. 

More formally an ensemble of polynomial time relationships VT TZ consists of 
a collection of families VTTZ = U„PT7^„ where each VTTZn is a family of poly- 
nomial time relationships TZn- To an ensemble VTTZ we associate a randomized 
instance generator algorithm IG that on input 1" outputs the description of a 
relationship TZn- In the following we will drop the suffix n when obvious from 
the context. 

Example: The instance generator algorithm on input 1” outputs an n-bit prime 
q, a poly{n)-y>r'uB.e p, such that q\p — 1 and an element g of order q in Z*. 
The corresponding relationship is that of pairs (y, w) C Z* x Zg such that 
y = g^ mod p. 

Proofs of Knowledge. In a proof of knowledge for a relationship TZ, two 
parties, Prover P and Verifier V, interact on a common input y. The Prover also 
holds a secret input w, such that {y,w) G TZ. The goal of the protocol is to 
convince V that P indeed knows such w. Ideally this proof should not reveal any 
information about w to the verifier, i.e. be zero-knowledge. 

The protocol should thus satisfy certain constraints. In particular it must 
be complete: if P knows w then V should accept. It should be sound: for any 
(possibly dishonest) prover who does not know w, the verifier should almost 
always reject. Finally it should be zero-knowledge: no (poly-time) verifier (no 
matter what possibly dishonest strategy she follows during the proof) can learn 
any information about w. 
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A formal definition of proofs of knowledge can be found in [BGo93] (improving 
on the original definition in [FFS88]). Informally, the concept of “knowing” w is 
formalized by showing that w can be computed in polynomial-time if we have 
black-box access to P. This is done by constructing a witness extractor which 
runs in probabilistic polynomial time, and computes w with a probability related 
to the probability that the Prover makes the Verifier accept. 

The concept of zero-knowledge is formalized via the existence of a probabilis- 
tic polynomial time simulator S that on input y and interacting with a possibly 
cheating Verifier outputs transcripts with the same probability distribution as 
the real prover (who knows w). 

A formal definition follows. With [P(?/, u;), V(i/)] we denote the output of the 
protocol, i.e. 1 iff V accepts. With 7Tp(n) we denote the probability that a prover 
P makes the verifier accept, i.e. 

7Tp(n) = Proh[ ^ IG(1”) ; [P{y, •), V(j/)] = 1 ] 

where the statement y can be chosen by P. 

Definition 1. We say that (P,V) is a proof of knowledge for a relationship 
{VTTZ, IG) if the following properties are satisfied: 

Completeness. For all (y,w) G (for all TZn) we have that [P(y, w), V(y)]=l. 

Witness Extraction. There exist a prohahilistic polynomial time knowledge 
extractor KE, a function k : {0, 1}* — > [0, 1] and a negligible function e, such 
that for all PPT P’, if TTp'{n) > n{n) then KE, given rewind access to P' , com- 
putes w such that (y,w) G TZn with probability at least TTp'{n) — n{n) — e(n). 

Zero-Knowledge. For every PPT Verifier V there exist a probabilistic poly- 
nomial time simulator SIMv', such that for all (y,w) G TZn the two random 
variables 

V\ew[P{y,w),V{y)] 

View[SIMv'( 2 /). V'(y)] 

are indistinguishable. 

The function k is called the knowledge error and measures the probability, 
inherent to the protocol, that a cheating prover can convince the verifier without 
knowing w. What we require is that if a prover convinces the verifier with a prob- 
ability higher than k, then we can extract the witness with a success probability 
related to the difference. 

2.2 Identification Schemes 

In an identification scheme a prover P and a verifier V interact on input a public 
key (generated together with its matching secret key by a key generation algo- 
rithm KG). The prover holds the matching secret key, and his goal is to convince 
the Verifier of this fact, and thus of his identity. 
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An impersonation attack is when an adversary A tries to convince the verifier 
that he is the honest prover. This kind of attack is called a passive attack, if the 
adversary attempts impersonation only after having witnessed several correct 
executions of the identification protocol between the prover and honest verifiers. 
We said that an attack, is active, if the adversary before trying to impersonate 
the prover has engaged with him in the identification protocol, playing the role 
of a (possibly dishonest) verifier. 

Finally, and this is the notion we consider in this paper, we say that an 
active impersonation attack is a concurrent attack if the interactions between the 
adversary and the honest prover before the impersonation attack, can be carried 
out in a concurrent fashion (i.e. with an arbitrary scheduling of messages). 

So we can consider the following game. A pair of keys sk, pk is chosen according 
to the distribution induced by KG on input 1" the security parameter. The prover 
is given sk and pk is made public. Then the adversary A engages as a verifier in 
several concurrent executions of the identification protocol with the prover. He 
then finally runs one execution of the protocol, as the prover, with an honest 
verifier. We denote with adv_4(n) the probability that A makes the verifier accept 
at the end of this game. 

Definition 2. We say that an identification protocol is secure against concur- 
rent impersonation attack z/adv_4(n) is negligible in n. 

2.3 Discrete Logarithm Assumptions 

Since its introduction in the seminal paper by Diffie and Heilman [DH78], the dis- 
crete logarithm assumption has been widely used to construct cryptographic algo- 
rithms. Here we are going to use a well established variant of the assumption that 
considers the hardness of computing discrete logs in subgroups of prime order. 

Consider the example we described above. On input a security parameter 
1", we generate an n-bit prime q, a poly{n)-prime p, such that q\p — 1 and an 
element g of order q in Z* (the multiplicative group of integers modp). In the 
group generated by g we can consider the exponentiation function that maps 
w G Zq to y = g"^ mod p. The discrete log assumption says that if we choose w 
at random then it is infeasible to compute w, when given only y. 

Assumption 1. We assume that computing discrete logarithm is hard, i.e. for 
every PPT Turing Machine X (for inverter) the following probability 

advj(n) = Prob[X{p, q,g,y = mod p) = w] 

is negligible in n. The probability is taken over the internal coin tosses ofX, the 
random choices of q as n-bit prime, p as a poly{n)-bit prime such that q\p — 1, 
w Gr Zq, while g is an arbitrary element of order q in Zf. 

In the following we are going to use a stronger variant of the discrete log as- 
sumption, introduced in [BNPSOl, BPa02]. In this variant once we have selected 
p, q at random and chose g, we give the inverter X access to two oracles. The 
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challenge oracle Ch, when invoked outputs a random element in the group gener- 
ated by g. The discrete log oracle DL when queried on a value y G {g) will output 
w such that y = g^ mod p. The goal of J is to invert all the values issued to him 
by the challenge oracle (and X must invoke Ch at least once), but is restricted 
to invoke DL a number of times, which is strictly smaller than the number of 
times he invoked Ch. We denote with the probability (taken over the 

choices of p,q and the internal coin tosses of X and Ch) that X succeeds in this 
game. 

Assumption 2. We assume that the problem of one more inversion of discrete 
logarithms is hard, i.e. we assume that advj^’'^'“(n) is negligible in n. 

Note that when the number of queries to Ch is equal to 1, this assumption 
is equivalent to Assumption 1. Though Assumption 2 is new, it looks reason- 
able and has the advantage enunciated in [BPa02] of reducing the security of 
our identification scheme to the hardness of a well-specified number theoretic 
problem. 

2.4 Schnorr’s Identification Scheme 

Let p and q be two primes such that q\p— 1 and jql = n. Let 5 yf 1 be an element 
of order <7 in Z*. Let Gg be the subgroup generated by g. The integers p, q, g are 
known and can be common to a group of users. 

An identity consists of a private/public key pair. The private key ru is a 
random non-negative integer less than q. The public key is computed as y = 
g~^ mod p. 

The protocol is described in Figure 1. 

It is well known that Schnorr is an honest- verifier zero- knowledge proof of 
knowledge of w, the discrete logarithm of y. The reader is referred to [Sch91] for 
details. The protocol is only honest-verifier ZK, because if a dishonest verifier 
chooses the challenge e in a non-random way (particularly dependent on the first 
message x) we are not able to simulate the interaction^. 

However in [BPa02] it is shown that the Schnorr scheme is secure against 
impersonation, under concurrent attacks, under the assumption that discrete 
logarithm is secure under one more inversion in the underlying group. 



3 The New Identification Scheme 

In this section we present our generalization of Schnorr’s scheme to the case in 
which the prover wants to prove multiple identities. 

A naive generalization of Schnorr’s scheme would be to do the simultaneous 
authentication of d identities by composing d rounds in parallel. In other words 



^ Note that it is also necessary to check that y is in the proper gronp, by checking that 
= 1 modp, see [BurQO]. This can be added as a verification step, or the verifier 
can trust the certification authority that certified y to have performed the test. A 
similar requirement holds for our protocol. 
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Schnorr 

Common Input: p,q,g,y. A security parameter t. 

Secret Input for the Prover: w £ Zq such that y = g~™ mod p. 

1. Commitment by Prover. Prover picks r Zq and sends x = g^ modp to 
the Verifier. 

r 

Prover ^ ~ 9 ^ Verifier 

2. Challenge from Verifier. Verifier picks a number e €r [1..2*] and sends it 
to the Prover. 

Prover „ ^ Verifier 

3. Response from Prover. Prover computes s = r + w ■ e mod q and sends it 
to the Verifier. 

Prover s = r + w ■ e ^ Verifier 

The Verifier checks that x = g“ ■y’^ mod p and accepts if and only if equality 
holds. 



Fig. 1. Schnorr’s protocol 



the prover would send over d commitments and the verifier would reply with d 
challenges - one per identity. Note that this scheme has a communication and 
computation cost that is d times the cost of Schnorr’s original scheme. A possible 
improvement would be to use the same challenge for all rounds, and apply batch 
verification techniques (such as the ones in [BGR98]) to the last verification step. 
Even with these improvements, the communication and computation cost of the 
whole scheme would still be higher by a factor of d (the prover would still have 
to send and compute d commitments). 

We propose a more efficient scheme where the prover sends one commitment 
and the verifier sends one challenge across all identities. The prover’s response 
is generalized from a degree one polynomial to a degree d polynomial formed 
from the d secret keys. We are able to show that the resulting scheme is sound 
and further that it is secure against impersonation under concurrent attacks 
by extending the corresponding arguments in [Sch91] and [BPa02] respectively. 
We present two theorems that demonstrate that the new scheme is an honest- 
verifier zero knowledge proof of knowledge and also a secure identification against 
impersonation under concurrent attacks. 

The parameters are very similar to Schnorr. Let p and q be two primes such 
that q\p — 1. Let (7 yf 1 be an element of order <7 in Z*. The integers p, q,g are 
public, and can be common to a group of users. 
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We have d identities, each consisting of a private/public key pair indexed by 
i. The private keys Wi are non-negative integers less than q, chosen uniformly at 
random. The public keys are computed as j/j = mod p. 

The Prover initiates the protocol by sending over the list of public keys j/j 
for which it claims to possess the corresponding private keys Wi. The protocol is 
described in Figure 2. 



Batch-Schnorr 

Common Input: p,q, g,yi, . . . , yd- A security parameter t. 

Secret Input for the Prover: Wi € Zq such that yi = mod p. 

1. Commitment by Prover. Prover picks r Gn Zq and sends x = g^ modp to 
the Verifier. 

r 

Prover ^ ~ 9 ^ Verifier 

2. Challenge from Verifier. Verifier picks a number e [1..2d'*'*°®‘*l] and 
sends it to the Prover. 

Prover „ 5 Verifier 

3. Response from Prover. Prover computes s = r -I- SiWi ■ C mod q and sends 
it to the Verifier. 

Prover s = r -|- EjWj ■ e ^ Verifier 

The Verifier checks that x = g^ ■ Hiyl mod p, and accepts if and only if 
equality holds. 



Fig. 2. Batch version of Schnorr’s protocol 



Theorem 1. Batch-Schnorr is an honest-verifier zero-knowledge proof of knowl- 
edge for d discrete logarithms. 

The complete proof is provided in [GLSY]. 

Notice that the protocol is not zero-knowledge in the general case since a 
dishonest verifier could choose a challenge that is dependent on the commitment 
making it difficult to generate transcripts with the same distribution, without 
knowing the secret keys. Informally, however the reason no information is re- 
vealed is that the numbers x and y, the commitment and the response, are 
essentially random. This is the intuition behind the proof of security as an iden- 
tification scheme. 

The following theorem (Theorem 2) shows that Batch-Schnorr is an identifi- 
cation scheme secure against impersonation under concurrent attacks. As men- 
tioned before, this is our ultimate end goal. We extend the proof in [BPa02] 
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(which shows the security of Schnorr’s scheme under this kind of attack) to our 
scheme. We remind the readers that in a concurrent attack the adversarial prover 
is allowed to play the role of the cheating verifier and interact concurrently with 
multiple honest prover clones prior to the impersonation attempt. Similar to 
[BPa02] our proof is based on the assumption that discrete exponentiation is 
secure under d more inversions in the underlying group (Assumption 2). 

Let A denote the adversary that first takes on the role of fraudulent verifier 
and interacts concurrently with several honest prover clones before subsequently 
taking on the role of fraudulent prover. Let adv_ 4 (fc) denote the probability that 
A is successful at impersonation. 

Theorem 2. If A succeeds in an impersonation attack on Batch-Schnorr with 
probability adv_ 4 (fc) then there exists an inverter I such that for every k 

adv_4(/c) < 2“* + (advj^’'^'“(fc))^/^'^"'"^^ 

Proof. We show how to construct an inverter X that interacts with A the imper- 
sonation adversary. Via this interaction X will compute the discrete logarithm 
of all the n points it gets from the challenge oracle, by querying the discrete log 
oracle, at most n — d times. 

First the inverter X queries Ch, the challenge oracle, d times and obtains d 
random group elements yt = It then runs A in cheating verifier mode 

using the yfs as the public key. For the clone prover the commitment Xj is 
obtained by querying the challenge oracle Ch. The third round response Sj to 
challenge ej is computed by querying the discrete log oracle DL on the value 

XjU^^iyj. ^ . Notice that this is a perfect simulation of a real concurrent attack. 
With n we denote the total number of queries to the challenge oracle. Notice 
that X queried the discrete log oracle only n — d times. 

Now X runs A in cheating prover mode d -I- 1 times, rewinding it each time 
to the beginning (of the phase in which A acts as a prover). This in particular 
means that the commitment issued by A stays the same, since its internal state 
is the same. If any two challenges are the same then the inverter X fails. 

Let X = he the commitment and let s* be the response corresponding 
to the distinct challenges e^. If the cheating prover A fails even once then the 
inverter X fails. If the cheating prover A succeeds each of the d -I- I times, then 
the inverter X has d -I- I equations of the form Si = r + SjWj ■ ej, with d -I- I 
unknowns, r and the d secret keys wj. By inverting the Van der Monde matrix 
formed from these equations, they can be solved to obtain the Wj’s. These are 
the answers to the first d queries X made to Ch. 

Recall that X must answer all the challenges he received from Ch. But the 
answer to each query xj can be easily computed as Sj — SkWk ■ Cj. 

Thus with n — d queries, X succeeds in inverting all the n points asked to the 
challenge oracle. The probability of success is the probability that A succeeds 
d + 1 times. We will now estimate this probability. We first prove an auxiliary 
result that is a generalization of an equivalent result in [BPa02] . 
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Lemma 1 (Generalized Reset Lemma). Consider any proven (potentially 
cheating). Let A and B he random variables over the space of the random coins, 
RP, of the proven. Let A denote the probability, taken over e, that the verifier 
accepts. Let B denote the probability, taken over e ’s, that when the verifier is 
reset and run d + 1 times, a different e is generated each time and the verifier 
accepts each time. Let acc = E{A) and res = E{B). Then acc < . 

Proof. Let 1/c = gi 2 g of the challenge set i.e. #e. It is easy to see 

that B > A{A — c) {A — 2c) .. .{A — dc). This implies that B > {A — 
which yields that E{A) < dc+ or E{A) < 2~* + . 

Now observe that adv_ 4 (fc) = E{acc), where the expectation is taken over 
the choice of yi and the knowledge gained as the cheating verifier. Similarly 
advj^’'^'“(fc) = E(res). Applying the reset lemma we see that 

advA{k) = E{acc) < E{2~* + {resf/^'^+^'^) = 2"‘ + E{{resf/^’^+^^) 

then by applying Jensen’s inequality 

advA{k) < 2-‘ + (A(res))i/(‘^+i) = 2"‘ + (adv^^’^^)i/(^+i) 

This completes the proof of Theorem 2. 

The following corollary is a straightforward consequence of Theorem 2. 

Corollary 1. Under Assumption 2, and if t = u){logk), then Batch-Schnorr is 
a secure identification scheme against i mpersonation under concurrent attack. 

Note that the assumption that t is super-logarithmic in k is necessary, oth- 
erwise the scheme can be broken by guessing the verifier’s challenge. 

3.1 Efficiency Analysis 

For a list of d identities Batch-Schnorr uses only 0{logd) more bits of communi- 
cation than Schnorr’s scheme for a single identity (assuming the same security 
level) . 

In terms of computation Batch-Schnorr requires 2d extra modular multiplica- 
tions for the prover. The verifier has to perform d -I- 1 modular exponentiations, 
while in Schnorr’s scheme it has to perform 2. 

Notice that this is much faster than the known way of proving d identities 
simultaneously, which consists of d copies of Schnorr’s protocol (in the particular 
the verifier would have to perform 2d exponentiations instead of d -I- 1) . 

3.2 Authorization LFsing Multiple Identities 

As we discussed in the Introduction, our identification scheme is suitable to 
implement Authorization using multiple identities without incurring a huge ef- 
ficiency cost. 

When a user joins a particular privilege class he is given a new public key, its 
matching secret key and a certificate that associates the key to that particular 
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privilege class. Another possibility would be to have a unique key for each class, 
but that would make revocation very difficult to handle, as revoking one user in 
the class (say because her key was compromised or because she does not belong 
to the class anymore), would involve replacing the key of all users in the class. 

When a user needs to access certain data or services he uses our identification 
protocol to prove possession of the minimal set of privileges required for that 
access to take place. 

Another advantage of our approach is that it is easy to transfer privileges 
among parties. A motivating scenario for our application is having a smart card 
be able to talk to another smart card and transfer a subset of privileges to it 
(equivalent to a high ranking employee in a corporation enabling selective access 
to a lower ranked employee). In our scheme using multiple identities it is a simple 
matter to transfer the private keys corresponding to the selected list of privileges. 

4 Implementation 

In order to test the efficiency of our scheme we have performed an implementa- 
tion of our scheme. To carry out the implementation we used a recently proposed 
technology based on Light Emitting Diodes. We believe that another contribu- 
tion of our paper is to show that this new technology allows the implementation 
of strong cryptography. 

Light Emitting Diodes, or LEDs, are one of the most ubiquitous interface 
components. Their diverse applications include numeric displays, flashlights, ve- 
hicle brake lights (and possibly even headlights [Hel03]), traffic signals and the 
omni-present power-on indicator. LEDs are so commonly used as light emitters 
that people often forget that they are fundamentally photodiodes and hence light 
detectors. Although LEDs are not optimized for light detection they are very 
effective at it. The interchangeability between solid-state light emission and de- 
tection was widely publicized in the 1970s by Forrest W. Mims [Mim86, Mim93], 
but has since largely been forgotten. 

Recently, a novel microprocessor interface circuit was invented which can 
alternately emit and detect light using an LED [DYL02]. In addition to the 
LED and two digital I/O pins of the microprocessor, the circuit requires only a 
single current limiting resistor. When forward-biased the LED emits light and 
when back-biased it detects/measures the ambient light. The implications of 
LED-based data communication are significant, since it is essentially a software 
interface technique that uses existing hardware with minimal modification. ’’Ev- 
ery LED connected to a microprocessor can be thought of as a generic two-way 
data port” [DYL02]. One can conceive of numerous applications e.g. using the 
power light on consumer appliances as a maintenance port for reading service 
information and uploading new firmware, or capturing a car stereo’s fault log 
through the front panel display. 

We show how to build smartcards that communicate via LEDs and implement 
our Batch-Schnorr protocol. 
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4.1 Hardware 

Batch-Schnorr was implemented using the Microchip PIC16LF628 microcon- 
troller. The hardware was composed of a small printed circuit board 2cm by 
4cm, a single push-button switch, an LED, a 3-volt lithium coin-cell battery, a 
capacitor and two resistors. The PIC uses 8-bit instruction words and runs at 5 
MIPS (million instructions per second). It has I6KB of write-able storage. The 
prototypes were also equipped with an in-circuit programming connector, which 
allowed us to download code into the microcontroller. We also devised a small 
adapter board to convert this connector to Microchip’s standard RJ-11 in-circuit 
debugging module. A mass produced version should cost less than a dollar more 
than a similar LED keychain flashlight. The range of communication is a few 
centimeters at best and the data rate is 250 bits/second in each direction. We 
implemented Batch-Schnorr representing the prover in its full functionality. The 
verifier was implemented as a LED directly controlled by a PC. 

See Appendix B for a picture of our implementation. 

4.2 Security 

We chose a security parameter setting of t = 95. This is generally considered 
adequate security (see [Sch96]) for most practical purposes. We used d = 32. 
This made t + logd = 100. This forced the prime q to be 200 bits long because of 
the existence of the baby-step-giant-step algorithm for finding discrete 

logs (see [Sch91]). In conjunction with the existence of the general number field 
sieve (see [LOd91]) this, in turn, forced the prime p to be about 1500 bits long. 

4.3 Prover 

The bulk of the implementation effort lay in the code for the prover. An impor- 
tant aspect of our implementation of Batch-Schnorr was that storage was at a 
premium. This is common with most smart cards where the storage is needed 
both for code as well as data. 

The main operation performed by the prover is modular multiplication. We 
initially attempted an implementation of the Fast Fourier Transform (see [Str88]) 
of Cooley and Tukey, which takes O(nlogn) bit operations. However it turned 
out that our practical implementations of this scheme had high code complexity, 
even though it is more efficient asymptotically. 

Hence, we adopted a scheme that utilizes a pre-computed table to substan- 
tially save on both code complexity as well as computation time. For each of 
the private keys we stored a pre-computed table of the residues modulo q of the 
product of the private key with the powers of 2 up to Then to multiply 

the private key with any given number we added the residues corresponding to 
the powers of 2 present in the binary representation of that number. The residue 
modulo q of enabled us to reduce the overflow when doing addition, so 

that we always had a number with logq bits. Upon receiving the challenge e we 
first computed a similar table consisting of the residues modulo q of the product 
of e with the powers of 2 up to 2^+*°s^. We then used this table to compute 
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the powers of e, and then used the pre-computed tables of the secret keys to 
compute y = r + S^si ■ e* mod q. This enhancement enabled the implementation 
to run in less than 2 seconds for our choice of the security parameters. 



5 Conclusion and Extensions 

We have presented a batch version of Schnorr’s protocol. In our scheme a prover 
can prove knowledge of d keys at essentially the same cost as proving knowledge 
of a single key. We believe this protocol can find several applications in the 
cryptography literature. 

We discussed the application of privacy-preserving authorization mechanisms. 
Also we presented an implementation of our protocol employing a new technol- 
ogy to use Light Emitting Diodes as two-way communication devices. We believe 
this to be another interesting contribution of our paper. 

In terms of future research, it would be interesting to devise a batch version 
of the Guillou-Quisquateur identification protocol. 
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Abstract. Secret handshakes were recently introduced [BDS”^03] to al- 
low members of the same group to authenticate each other secretly, in the 
sense that someone who is not a group member cannot tell, by engaging 
some party in the handshake protocol, whether that party is a member 
of this group. On the other hand, any two parties who are members of 
the same group will recognize each other as members. Thus, a secret 
handshake protocol can be used in any scenario where group members 
need to identify each other without revealing their group affiliations to 
outsiders. 

The work of [BDS^03] constructed secret handshakes secure under 
the Bilinear Diffie-Hellman (BDH) assumption in the Random Oracle 
Model (ROM). We show how to build secret handshake protocols se- 
cure under a more standard cryptographic assumption of Computational 
Diffie Heilman (CDH), using a novel tool of CA-oblivious public key en- 
cryption, which is an encryption scheme s.t. neither the public key nor 
the ciphertext reveal any information about the Certification Authority 
(CA) which certified the public key. We construct such CA-oblivious en- 
cryption, and hence a handshake scheme, based on CDH (in ROM). The 
new scheme takes 3 communication rounds like the [BDS^03] scheme, 
but it is about twice cheaper computationally. 

Keywords: authentication, privacy, anonymity, encryption. 

1 Introduction 

A secret handshake scheme, introduced by Balfanz et al. [BDS“*"03], allows two 
members of the same group to identify each other secretly, in the sense that 
each party reveals his/her affiliation to the other only if the other party is also 
a group member. For example, a CIA agent Alice might want to authenticate 
herself to Bob, but only if Bob is also a CIA agent. Moreover, if Bob is not a 
CIA agent, the protocol should not help Bob in determining whether Alice is a 
CIA agent or not. This secrecy property can be extended to ensure that group 
members’ affiliations are revealed only to members who hold specific roles in the 
group. For example, Alice might want to authenticate herself as a CIA agent 
with security level one if and only if Bob is a CIA agent with security clearance 
two, and vice versa. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 293-307, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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In other words, if ^ is a member of group Go with role Va and i? is a member 
of Gf, with role ri,, a secret handshake scheme guarantees the following [BDS+03]: 

— A and B authenticate each other if and only if Go = G^d 

— If Go yf Gb then both parties learn only the sole fact that Go yf Gf,. 

— A can choose not to reveal anything about herself unless is a member with 
particular role rj, (and vice versa). ^ 

— An eavesdropper or a man in the middle learn nothing from the protocol. 

As observed in [BDS+OS], secret handshakes seem to require new crypto- 
graphic protocols since they can not be easily obtained from existing tools in 
the “cryptographic toolbox”. For example, group signatures [CVH91, ACJTOO] 
might appear to be an attractive building block for secret handshakes. However, 
they offer anonymity and unlinkability of group members’ signatures, not secrecy 
of membership itself. In the interactive variant of group signatures, called iden- 
tity escrow [KP98], one party can prove to another its membership in a group 
in an anonymous fashion. However, what turns out to be quite difficult is the 
seemingly simple issue of two parties proving group membership to each other 
simultaneously, in such a way that one party never reveals its group membership 
to another unless the former is also a member of the same group. 

Secret Handshake Scheme as a “CA-oblivious PKI” . To be usable in practice, a 
secret handshake scheme must provide efficient revocation of any group member 
by the Group Authority (GA) which administers the group. To support this 
functionality we will consider secret handshake schemes which, like the scheme 
of [BDS“*'03], are similar to PKI’s (Public Key Infrastructures), where the role 
of a group authority corresponds to that of a Certification Authority (CA) in a 
PKI. Namely, to become a member of a group a party needs the GA to issue a 
certificate on an ID bitstring which the CA agrees to assign to this party. The 
certificate must include a CA-specific trapdoor which, corresponds to this ID.^ To 
revoke some party, the CA puts that party’s ID on a revocation list. To perform 
a handshake, two parties first exchange their ID’s, and then proceed only if the 
ID of the other party is not on the revocation list of their CA. Since the secret 
handshake protocol must hide one’s group affiliation from outsiders, the ID’s 
will be random strings picked from the same domain by all the CA’s."^ 



^ However, as noted by [BDS”''03], a handshake protocol cannot be fair in the sense 
that if Ga = Gb then one party is going to learn about it first and could abort the 
protocol and thus withhold their group affiliation from the counterparty. 

^ To simplify the presentation, we will ignore roles for most of the paper. However, as 
we show in appendix A.l, they can be added easily. 

® For example, in an identity based encryption scheme, the trapdoor is a secret key 
corresponding to the public key which can be recovered from ID and the public 
parameters associated with the CA. In a standard PKI system, this correspondence 
has an added level of indirection: The trapdoor t is a secret key corresponding to 
the public key PK which is in turn bound to the ID string by a signature of CA on 
the {ID\PK) pair. 

^ To make protocol runs executed by the same party unlinkable, [BDS^03] propose 
that a single user gets multiple (ID, certificate) pairs, each to be used only once. 
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In this setting, constructing a secret handshake scheme amounts to solving 
the following protocol problem: For a given CA, Alice wants to prove to Bob 
that she possesses a trapdoor Ia issued by this CA on her I Da, but only if Bob 
possesses a trapdoor ts issued by the same CA on his IDb (and vice versa). 
Moreover, the protocol must be “CA-oblivious” in the sense that if a cheating 
Bob is not in the group administered by a given CA, and hence does not hold 
a CA-specific trapdoor ts associated with IDb, then his interaction with Alice 
must not help him in guessing if Alice belongs to this group or not. (And vice 
versa for an honest Bob and a cheating Alice.) While this protocol problem 
can be solved in principle with general 2-party secure computation techniques, 
the issue remains whether it can be solved with a practical protocol, at a cost 
comparable to standard authentication protocols. 

Existing Solutions Based on Bilinear Maps. The secret handshake protocol of 
[BDS+03] is based on bilinear maps, which can be constructed using Weil pair- 
ings on elliptic curves [Jou02, Gag02]. The protocol of [BDS+03] builds on the 
non-interactive key-agreement scheme of [SOKOO], and works as follows. As in the 
identity based encryption scheme of [BFOl], A and B can compute each other’s 
public keys from each other’s ID’s and from the public parameters associated 
with the CA. If Alice is a group member, she can use her trapdoor tA corre- 
sponding to PKa to non-interactively compute a session key from {tA, PKb)- 
Similarly, if Bob is a group member he can compute the same session key from 
{tB, PKa)- The two parties can then verify if they computed the same key via 
a standard MAC-based challenge-response protocol. Under the Bilinear Diffie- 
Hellman (BDH) assumption, it is easy to show (in the Random Oracle Model) 
that an attacker who does not hold the correct trapdoor cannot compute the 
session key. Moreover, the MAC-based challenge response confirmation proto- 
col has the needed property that without the knowledge of the key, one learns 
nothing from the counterparty’s responses. 

Thus, the “CA-obliviousness” property of the protocol of [BDS+03] follows 
from two properties of cryptosystems built on bilinear maps: (1) that the re- 
ceiver’s public key can be recovered by the sender from the receiver’s ID, and 
thus the receiver does not need to send any information revealing his CA af- 
filiation to the sender, and (2) knowing their public keys, the two parties can 
establish a session key non-interactively, and thus they again do not reveal any 
CA-specific information. Civen that the first property relies on identity based 
encryption, and that the only practical IBE known so far is based on bilinear 
maps [BFOl], it seems that BDH is indeed needed for secret handshakes. 

Our Contributions. In this paper we show that efficient secret handshake (SH) 
schemes can be built using weaker and more standard assumption than the 
BDH, namely the Computational Diffie Heilman (CDH) assumptions. However, 
our security arguments, just like those for the BDH-based scheme of [BDS+03] 
remain in the so-called Random Oracle Model (ROM). Moreover, the proposed 
scheme is computationally at least twice cheaper than the scheme of [BDS“*'03]. 
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We show this in several steps: First, we generalize the IBE-based secret hand- 
shake solution sketched above by showing that an efficient four-rounds secret 
handshake protocol can be built using any PKI-enabled encryption with the ad- 
ditional property of CA-obliviousness. We define the notion of {chosen-plaintext 
secure) PKI-enabled encryption, which generalizes both the Identity Based En- 
cryption schemes, and the standard encryption schemes used in the context of 
a PKI system like X.509. We define the CA-obliviousness property for this no- 
tion of PKI-enabled encryption, which requires that both the public-key-related 
information which the receiver provides to the sender, and the ciphertext sent 
from the sender to the receiver, do not reveal which CA issued the receiver’s 
certificate. We then show that every CA-oblivious PKI-enabled encryption leads 
to a four-round secret handshake protocol whose cost is one decryption and 
one encryption for each party. We also show an alternative construction, which 
creates a three-round secret handshake protocol using any CA-oblivious PKI- 
enabled encryption equipped with the so-called zero-knowledge “signature of 
knowledge” [CS97] of the private decryption key. 

Next, we combine ElGamal encryption and Schnorr signatures to construct a 
practical CA-oblivious PKI-enabled encryption secure under the CDH assump- 
tion (in ROM) , which thus leads to a four-round secret handshake protocol secure 
under CDH. However, since this encryption admits a very practical (in ROM) 
ZK signature of knowledge of the private key, which is simply the Schnorr sig- 
nature scheme itself, this results in a secret handshake scheme which takes three 
rounds, like the scheme of [BDS“''03], and which involves one multiexponenti- 
ation and one or two exponentiations per player. Compared to the cost of the 
scheme of [BDS+03], where each player computes a pairing of two elements one 
of which is known in advance, this is about twice less expensive, according to 
the results of Barreto et al. [BKLS02] . 

We also improve the functionality of a secret handshake system by showing 
that our CDH-based SH schemes support “blinded” issuance of the member 
certificates in the sense that the CA does not learn the trapdoors included in 
the certificate, and thus, in contrast to the BDH-based SH scheme of [BDS“*'03], 
the CA cannot impersonate that member. 

Finally, we note that the CA-oblivious encryption we devise can be also 
applied to provide a CDH-based solution to the Hidden Credentials problem 
[HBSO03], which generalizes the notion of secret handshakes to general PKI 
trust evaluations where two communicating partners are not necessarily certified 
by the same group/certification authority. This problem was also given only a 
BDH-based solution so far, in [HBSO03]. 

Related Work. As described in [BDS+03], existing anonymity tools such as 
anonymous credentials, group signatures, matchmaking protocols, or accumu- 
lators, have different goals than secret handshakes, and it is indeed unclear how 
to achieve a secret handshake scheme from any of them. Thus we will briefly 
discuss here only the new work of [LDB03] , which proposes a new notion “obliv- 
ious signature-based envelopes” , which is closely related to the secret handshake 
problem. The oblivious envelope notion they define is very similar to our notion of 
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PKI-enabled encryption, but with a weaker obliviousness property. Namely, they 
only require that the encrypting party does not know if the receiver possesses a 
CA-certified public/private key or not, but the protocol does not hide the iden- 
tity of the CA itself from the receiver. In contrast, our CA-oblivious encryption 
notion requires the protocol to hide this identify. Thus, while our CA-oblivious 
encryption gives an oblivious signature-based envelope for Schnorr signatures, 
the other direction is not clear. In particular, it remains an open problem if 
CA-oblivious encryption and/or secret handshakes can be constructed based on 
the RSA assumption.^ 

Organization. In section 2 we revise the definitions of an SH scheme [BDS“''03], 
restricting them to “PKI-like” SH schemes we consider here. In section 3 we 
define the notion of a PKI-enabled encryption, and the CA-obliviousness property 
for such encryption. In section 4 we construct a CA-oblivious encryption secure 
under CDH in ROM. In section 5 we give two general constructions of SH schemes 
from any CA-oblivious encryption. In appendix A we show how to support roles 
and blinded issuing of CA certificates. 

2 Definition of Secret Handshakes 

We adapt the definition of a secure Secret Handshake [SH] scheme from [BDS+03] 
to what we call “PKI-like” SH schemes. Our definitions might potentially restrict 
the notion of a secret handshake scheme, but both the SH scheme of [BDS+03] 
and our SH schemes fall into this category. We define an SH scheme as a tuple 
of probabilistic algorithms Setup, CreateGroup, AddMember, and Handshake s.t. 

— Setup is an algorithm executed publicly on the high-enough security parame- 
ter k, to generate the public parameters params common to all subsequently 
generated groups. 

— CreateGroup is a key generation algorithm executed by a GA, which, on input 
of params, outputs the group public key G, and the GA’s private key to- 

— AddMember is a protocol executed between a group member and the GA on 
GA’s input to and shared inputs: params, G, and the bitstring ID (called a 
pseudonym in [BDS^03]) of size regulated by params. The group member’s 
private output is the trapdoor t produced by GA for the above ID. 

— Handshake is the authentication protocol, i.e. the SH protocol itself, executed 
between players A,B on public input IDa,IDb, and params. The private 
input of A is (Ia, Ga) and the private input of B is {ts, Gb). The output of 
the protocol for either party is either a reject or accept. 

We note that AddMember can be executed multiple times for the same group 
member, resulting in multiple {ID, t) authentication tokens for that member. We 



® In the poster advertising the preliminary version of these results in PODC’04, we 
erroneously claimed that we know how to get RSA-based CA-oblivious encryption 
scheme, but this claim was incorrect, and this issue is still an open problem. 
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also note that in all the SH schemes discussed here the output of the Handshake 
protocol can be extended to include an authenticated session key along with the 
“accept” decision. 

2.1 Basic Security Properties 

An SH scheme must be complete, impersonator resistant, and detector resistant:® 

Completeness. If honest members A^B of the same group run Handshake with 
valid trapdoors IaAb generated for their ID strings I Da, IDb and for the same 
group Ga = Gb, then both parties output “accept”. 

Impersonator Resistance. Intuitively, the impersonator resistance property is vi- 
olated if an honest party V who is a member of group G authenticates an adver- 
sary A as a group member, even though A is not a member of G. Formally, we 
say that an SH scheme is impersonator resistant if every polynomially bounded 
adversary A has negligible probability of winning in the following game, for any 
string IDv which models the ID string of the victim in the impersonation attack: 

1. We execute params ^ Setup(I^), and {G,tc) ^ CreateGroup(params). 

2. A, on input (G,IDv), invokes the AddMember algorithm on any number of 
group members IDi of his choice. (The GA’s inputs are IDi's, G, and to.) 

3. A announces a new IDa string, different from all the IDi’s above. (This 
models a situation where the IDiS belong to group members who are mali- 
cious but who might be revoked.) 

4. A interacts with the honest player V in the Handshake protocol, on com- 
mon inputs {ID A, IDv), and on H’s private inputs G and ty, where ty ^ 
AddMember((G, IDy),tG). 

We say that A wins if V outputs “accept” in the above Handshake instance. 
We note that the above impersonator resistance property is rather weak, 
and that stronger versions of this property are possible, and indeed advisable. 
Namely, the attacker should be allowed to run the protocol several times against 
V, and be able to ask for additional trapdoors after each attempt, before he 
announces that he is ready for the true challenge. Also, the attacker could be al- 
lowed to ask for trapdoors on additional IDi ^ IDa strings during the challenge 
protocol with V. We adopt the simplest and weakest definition here to reduce 
the level of formalism in the paper. Nevertheless, we believe that our schemes 
remain secure under these stronger notions as well. 

Remark: We note that even such strengthened notion of impostor resistance is 
not strong enough to be used in practice. For example, the resulting notion 



Once we restrict the notion of SH schemes to the PKI-like SH schemes, the security 
properties defined originally in [BDS^OS] can be stated in a simpler way. Specifically, 
their properties of impersonator resistance and impersonator tracing are subsumed 
by our impersonator resistance, and their detector resistance and tracing is subsumed 
by what we call detector resistance. 




Secret Handshakes from CA-Oblivious Encryption 299 



makes no claims of security against the man in the middle attacks, and no 
claims if the adversary triggers a handshake protocol with an honest owner of 
the IDj\^ identity at any time before the adversary tries to authenticate himself 
to V under this identity. Therefore we do not claim that the above impostor 
resistance property is sufficient in practice. Instead, the above authentieation- 
like notion of impostor resistance has to be first extended to Authenticated Key 
Agreement [AKE]. We discuss this further in the Section 2.2 below. 

Detector Resistance. Intuitively, an adversary A violates the detector resistance 
property if it can decide whether some honest party E is a member of some group 
G, even though A is not a member of G. Formally, we say that an SH scheme 
is detector resistant if there exists a probabilistic polynomial-time algorithm 
SIM, s.t. any polynomially bounded adversary A cannot distinguish between 
the following two games with the probability which is non-negligibly higher than 
1/2, for any target ID string IDy- 

Steps 1-3 proceed as in the definition of Impersonator Resistance, i.e. on 
input IDy and a randomly generated G, A queries GA on adaptively chosen 
IDfs and announces some challenge string /D_ 4 , yf IDi for all i. 

4-1. In game 1, A interacts with an algorithm for the honest player V in the 
Handshake protocol, on common inputs {ID_^,IDv), and on E’s private 
inputs G and ty = AddMember((G, /Dy), t< 3 ). 

4-2. In game 2, A interacts with SIM on common inputs {IDj^,IDy). 

5. A can query GA on additional strings IDi 7 ^ IDy\^. 

6. A outputs “1” or “2”, making a judgment about which game he saw. 

Similarly to impersonator resistance, stronger notions of detector resistance 
are possible and indeed advisable. In particular, the adversary should be able to 
trigger several executions of the handshake protocol with player V, and he should 
be able to interleave these instances with instances executed with the rightful 
owner of the IDj\ identity. We adopt the above weak notion for simplicity, but 
our schemes satisfy these stronger notion as well. 

2.2 Extensions and Other Security Properties 

Authenticated Key Exchange. As mentioned in the previous section, the impos- 
tor resistance property defined above is only a weak authentication-like property 
which does not give sufficient guarantees in practice. Moreover, in practice one 
would like to extend the notion of a secret handshake from one where partic- 
ipants’ outputs are binary decisions “accept” / ’’reject”, to authenticated key 
exchange, where parties output instead either “reject” or a secure session key. 
We believe that the SH schemes we propose, just like the original SH protocol 
of [BDS+03], can be easily extended to AKE protocols using the standard AKE 
protocol techniques. However, the formal security analysis of the resulting proto- 
cols requires adoption of AKE formalism [BR93, CK02, Sho99], which is beyond 
the scope of this paper. 




300 



C. Castelluccia, S. Jarecki, and G. Tsudik 



Group- Affiliation Secrecy Against Eavesdroppers. Our schemes also protect 
secrecy of participants’ group affiliations against eavesdroppers, even if the eaves- 
dropper is a malicious member of the same group. An observer of our SH proto- 
cols does not even learn if the participants belong to the same group or not. We 
do not formally define security against eavesdroppers, because it is very similar 
to the security against active attackers which we do define, the impersonator 
and detector resistance. Moreover, if the protocol participants first establish a 
secure anonymous session, e.g. using SSL or IKE, and then run the SH protocol 
over it, the resulting protocol is trivially secure against eavesdroppers. 

Unlinkability . A potentially desirable property identified in [BDS+OS], is unlink- 
ability, which extends privacy protection for group members by requiring that 
instances of the handshake protocol performed by the same party cannot be 
efficiently linked. This can be achieved trivially (but inefficiently) by issuing to 
each group member a list of one-time certificates, each issued on a randomly 
chosen ID, to be discarded after a single use. Unfortunately, an honest mem- 
ber’s supply of one-time certificates can be depleted by an active attacker who 
initiates the handshake protocol enough times. Indeed, while one can run our 
SH schemes using multiple certificates to offer some heuristic protections against 
linking, constructing an efficient and perfectly unlinkable SH scheme remains an 
open problem. 

3 Definition of PKI-Enabled CA-Oblivions Encryption 

We define the notion of PKI-enabled encryption, which models the use of stan- 
dard encryption in the context of a PKI system, and also generalizes Iden- 
tity Based Encryption. We define one-way security for PKI-enabled encryption, 
adapting a standard (although weak) notion of one-way security of encryption to 
our context, and we define a novel C A- obliviousness property for such schemes. 

A PKI-enabled encryption is defined by the following algorithms: 

— Initialize is run on a high-enough security parameter, k, to generate the pub- 
lic parameters params common to all subsequently generated Certification 
Authorities (CAs). 

— CAInit is a key generation algorithm executed by a CA. It takes as inputs 
the system parameters params and returns the public key G and the private 
key to of the CA. 

— Certify is a protocol executed between a CA and a user who needs to be 
certified by this CA. It takes CA’s private input to, and public inputs G 
(assume that G encodes params) and string ID which identifies the user, 
and returns trapdoor t and certificate to as the user’s outputs. 

— Recover is an algorithm used by a sender, a party who wants to send an 
encrypted message to a user identified by some string ID, to recover that 
user’s public key. It takes inputs (G, ID, oj) and outputs a public key PK. 

— Enc is the actual encryption algorithm which takes inputs message m and 
the public key PK (assume that PK encodes params and G), and outputs 
a ciphertext c. 
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— Dec is the decryption algorithm which takes as inputs the ciphertext c and 
the trapdoor t (as well as possibly params, G, ID, and uj, all of which can 
be encoded in t), and returns m. 

The above algorithms must satisfy the obvious correctness property that the 
decryption procedure always inverts encryption correctly. 

It is easy to see (see footnote 3) that this notion of encryption indeed models 
both regular encryption schemes in the PKI context as well as the Identity Based 
encryption schemes. 

One- Way Security. We define the security of PKI-enabled encryption only in the 
relatively weak sense of so-called one-way security, namely that the attacker who 
does not own a trapdoor for some public key cannot decrypt an encryption of a 
random message. This is a weaker notion than the standard semantic security 
for an encryption, but we adopt it here because (1) it simplifies the definition of 
security, (2) one-way security is all we need in our construction of a secure SH 
scheme, and (3) in the Random Oracle Model, it is always possible to convert 
a one-way secure encryption into a semantically secure encryption, or even a 
CCA-secure encryption using the method of Fujisaki and Okamoto [F099]. 

The definition of security for PKI-enabled encryption is very similar to the 
definition of security of an IBE scheme: We say that a PKI-enabled encryption 
scheme is One- Way (OW) secure on message space M. under Chosen-Plaintext 
Attack (CPA), if every polynomially-bounded adversary A has only negligible 
probability of winning the following game: 

1. The Initialize and CAInit algorithms are run, and the resulting public key G 
is given to A. 

2. A repeatedly triggers the Certify protocol under the public key G, on ID 
strings IDi of M’s choice. In each instance A receives (<i,a>i) from the CA. 

3. A announces a pair where ^ IDi for all ID^s queried above. 

4. A receives c = EncpK(m) for a random message m G Ai and PK = 
Recover(G, IDj\^, w). 

5. A is allowed to trigger the Certify algorithm on new IDi ^ ID^ strings of 
his choice, getting additional {ti,uji) pairs from the CA. 

6. A outputs a message m'. li m' = m then we say that A wins. 

C A- Obliviousness. Informally, PKI-enabled encryption is CA-oblivious if (1) the 
receiver’s message to the sender, i.e., the pair {ID, to), hides the identity of the 
CA which certified this ID] and (2) the sender’s messages to the receiver, i.e., 
ciphertexts, do not leak any information about the CA which the sender assumed 
in computing the receiver’s public key. Consequently, in a standard exchange of 
messages between the receiver and the sender, neither party can guess which CA 
is assumed by the other one. Formally, we call a PKI-enabled encryption scheme 
CA-oblivious under two conditions: 

(I) It is “Receiver CA-oblivious” , i.e., if there exists a probabilistic polynomial- 
time algorithm SIMi^fH'^, s.t. no polynomially-bounded adversary A can distin- 
guish between the following two games with probability non-negligibly higher 
than 1/2, for any target ID string ID^: 
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1. The Initialize and CAInit algorithms are executed, and the resulting param- 
eters params and the public key G is given to A. 

2. A can trigger the Certify protocol on any number of IDi’s. 

3-1. In game 1, A gets where ujn is output by the Certify protocol on 

G and IDr. 

3- 2. In game 2, A gets {IDn,r) where r = S'/M(j^)(params). 

4. A can trigger the Certify protocol some more on any IDi yf /H_r. 

5. A outputs “1” or “2”, making a judgment about which game he saw. 

(II) It is “Sender CA-oblivious”, i.e., if there exists a probabilistic polynomial- 
time algorithm SIM(^s) S-t. no polynomially-bounded adversary A can distin- 
guish between the following two games, with probability non-negligibly higher 
than 1/2: 

1. The Initialize and CAInit algorithms are executed, and the resulting param- 
eters params and the public key G is given to A. 

2. A can trigger the Certify protocol any number of times, for public key G and 
group members IDi’s of ^’s choice. 

3. A announces pair {IDr.ujr) on which he wants to be tested, where I Dr yf 
IDi for all i. 

4- 1. In game 1, A gets c = Encp/fj,(m) for random m G M and PKr = 

Recover(G, IDr,ujr). 

4-2. In game 2, A gets c = 5'/M(5)(params). 

5. A can query GA on some more /Hi’s s.t. ^ijIDi yf IDr. 

6. A outputs “1” or “2”, making a judgment about which game he saw. 



4 Construction of CA-Oblivious Encryption 

We construct a CA-oblivious PKI-enabled encryption scheme secure based on 
the CDH assumption in the Random Oracle Model. ^ 

— Initialize picks the standard discrete logarithm parameters (p, q, g) of security 
k, i.e., primes p, q of size polynomial in k, s.t. p is a generator of a subgroup 
in Z* of order q. Initialize also defines hash functions H : {0, 1}* ^ Zg and 
H' : {0, 1}* ^ {0, 1}^. (Both hash functions are modeled as random oracles, 
but we note that H' is not essential in this construction and can be easily 
removed.) 

— CAInit picks random private key a; G Zg and public key y = p^modp. 

~ In Certify on public inputs (y,ID), the CA computes the Schnorr signature 
on string ID under the key y [Sch89], i.e., a pair (w,t) G (Z*,Zg) s.t. g* = 
^yH(ui,iD) user’s outputs are the trapdoor t and the certificate ui. 

The signature is computed as uj = g'~ mod p, and t = r + xH{u}, ID) mod g, 
for random r <— Ijq. 



We remark that since the Identity Based Encryption scheme of [BFOl] is also a CA- 
oblivious PKI-based encryption scheme, the SH construction of Section 5 applied to 
that encryption scheme implies efficient BDH-based SH schemes. 
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— Recover(?/, outputs PK = modp. 

— Encpi^(m) is an ElGamal encryption of message m S {0, 1}*^ under the public 
key PK: It outputs a ciphertext [ci, C 2 ] = [g’’ mod p,m(B H'{PK^ mod p)], 
for random r G l^q. 

— Dec is an ElGamal decryption, outputing m = C 2 0 H'{c\ mod p). 

Theorem 1. The above encryption scheme is CA-oblivious and One-Way se- 
cure under the CDH assumption in the Random Oracle Model. 

Proof (of One-Way Security). Assume that an adversary A breaks one-wayness 
of this encryption scheme. This means that after receiving n Schnorr signatures 
{ti,LOi) on IDfs of his choice, A sends a tuple {ID,uj) s.t. ID yf IDi for all the 
above IDfs, and (in ROM), to break one-wayness A must query the H' oracle on 
c(modp where g* = toy^^^AD) jj^od p. Therefore, A must exponentiate a random 
element ci it received to the exponent t. Hence, what we need to argue that, 
even though A receives n signatures (ti,u!i) on her IDfs, she cannot produce a 
new pair (ID,lu) s.t. she can exponentiate a random elements ci to exponent t 
where g*' = to* yH^^TD) ^ Now, this is very similar to proving the chosen message 
attack security of the underlying Schnorr signature scheme, where one argues 
that, after receiving n signatures, A cannot produce a new triple {ID,u>A) s.t. 
g* = uj * yA^JD) ^ Hence, our proof is very similar to the forking-lemma proof 
for Schnorr signature security in [PS96] . However, here we reduce the successful 
attack not to computing discrete logarithm, but to breaking the GDH assumption 
by computing rrP on input y = g^ and a random value m. 

To reduce M’s ability to succeed in this protocol to computing on the 
Diffie-Hellman challenge (g,g^,m), we first simulate, as in the proof of Schnorr 
signature security, the signatures {ti,uji) that A gets on her IDfs, by taking 
random U,Ci, computing uji = g*' * p“'^*modp, and assigning H{uii,IDi) to 
Ci. Since the verification equation is satisfied and ti,Ci are picked at random, 
this is indistinguishable from receiving real signatures. Then, as in the forking 
lemma argument of [PS96], we can argue that if M’s probability of success is e, 
the probability that A executed twice in a row succeeds in both executions and 
sends the same {ID,u) challenge in both of them, is at least ^ jqh where qu is 
the number of queries A makes to the hash function H (see [PS96]). The forking 
lemma used in the security proof of the Schnorr signature scheme shows that if 
two conversations with an adversary produce triples and {t',ui,ID), 

where in first conversation H{ui,ID) = c and in the second = d for 

some random c, c', then x = DLg{y) can be computed as x = (s — s')/ (c— c') mod 
q, because g^ = uj * y'^ and g* = lv * y‘^ . By applying the same forking lemma 
to our case, adversary A produces two exponentiations m* and to' , instead of 
forgeries t,t', but still we have that x = DLg{y) = {t — t')/{c — c'). Therefore, 
with probability e^/qt we can break the GDH challenge and compute = 
^(t-i')/(c-c') ^ (jW jmf'Yid-A) jnod p. 

Note that if the success probability e is higher than negligible, and if A* is 
an efficient algorithm and hence the number of queries qh is polynomial, then 
the probability of GDH break e^/qh is non-negligible as well. 
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Proof (of CA-Ohliviousness). It is easy to see that neither uj nor the ciphertext 
C = [ci,C2] reveal any information about the CA: Since u = for random r, 
ui is independent from CA’s public key y, and hence the scheme is receiver CA- 
oblivious. Ciphertext C = [ci,C2] on a random message m is also independent 
from the group key y, because c\ = 5'’ for random r and C2 is computed by 
xoring H' {PK'') with the random m. 



5 Secret Handshakes from CA-Oblivious Encryption 

We first show how to built a secure four-rounds SH scheme using CA-oblivious 
PKI-enabled encryption. Given a CA-oblivious one-way secure PKI-enabled 
encryption scheme (Initialize, CAInit, Certify, Recover, Enc, Dec), and a hash 
function H : {0, 1}* ^ {0, 1}* modeled as a random oracle, we specify a secret 
handshake scheme as follows: Algorithms Setup, CreateGroup, and AddMember, 
are simply set to Initialize, CAInit, and Certify, respectively, while algorithm 
Handshake proceeds as follows. A’s inputs are {IDa,uJaAa) and B's inputs are 

1. {B — > A)-. IDb, uJb 

- A obtains PKb = Recover(G, Wf,) 

- A picks Ta ^ M and cha ^ {0, 1}* 

- A computes C„ = Encpfe-, (r„) 

2. (A ^ B): IDa, iVa, Ca, cha 

- B obtains PKa = Recover(G, /I?a, Wa) 

- B obtains = Dec*,, (Go) 

- B picks Tb ^ M and chb ^ {0, 1}^ 

- B computes Cb = Encpp:^(rt,) 

- B computes respb = H{ra,rb,cha) 

3. {B — > A): Cb, respb, chb 

- A obtains rj, = Dect^(Gb) 

- if respb yf H{ra,rb,cha), A outputs FAIL; otherwise A outputs ACCEPT. 

- A computes respa = H{ra,rb,chb) 

4. (A — > B)-. respa 

- if respa yf H{ra,rb,chb), B outputs FAIL; otherwise B outputs ACCEPT. 

We note that the above protocol can be easily turned into an Authenticated 
Key Exchange (AKE) protocol (secure in the ROM model) if the two parties 
compute their authenticated session key as K = H{ra,rb)- 

Theorem 2. If the PKI-enabled encryption is CA-oblivious and One-Way se- 
cure, the above construction yields a Secret Handshake scheme secure in the 
Random Oracle Model (ROM). 



Group member’s trapdoor on string ID in this SH scheme is a pair {u),t) produced 
by the Certify protocol. We can also assume that {IDa, IDb) are public inputs. 
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Proof (of Impersonator Resistance) . Assume that A violates with non-negligible 
probability e the impersonator resistance property against some honest member 
V identified by IDy. Assume that A plays the role of A and V plays the role of B 
(the other case is easier because B has to speak first). Therefore with prob. e, A 
sends a valid respa = H{ra, fb, chb) response to B. In the ROM model, that can 
happen with non-negligible probability only if A querries the oracle for H(-) on 
the input (ra, rb, chb) s.t., in particular, rb was the value picked by V and sent to 
A in the form of a ciphertext Cb = EncpK^{rb) for PKa = Recover {G , I Da, i^a) , 
where {IDa,0Ja) are sent by A in its first message to V. Therefore, in ROM, we 
can use A to create a break A' against the one-way security of the encryption 
scheme: 

On input G, A' passes the public key G to A. When A can makes a querry 
IDi, so does A', passing back to A. When A announces that he is ready 

for the impersonation challenge against V, A! passes as his encryption challenge 
the pair (IDa,uJa) sent by A in his first message to V. On encryption challenge 
c = Encpic^ (m) where m is chosen at random in M, A' passes the same challenge 
as its response Cb = c to A, together with a random challenge value chb and 
respb picked at random. The only way A can tell between this communication 
and a conversation with an honest V is by querying H on {ra,rb,cha) for rb = 
Dect^(Cb) = m. Otherwise, as we argued above, he queries H on (ra,rb,chb) 
with probability almost e. In either case, since A can make only polynomially- 
many queries to H, A' can pick one such query at random, and A' will have a 
non-negligible chance of outputing rb = m. Thus A' breaks the one-wayness of 
the encryption scheme. 

Proof (of Detector Resistance). We will show a simulator SIM s.t. if A distin- 
guishes between interactions with SIM and interactions with a group member, 
we can break the one-way security of the encryption scheme. Assume again that 
the adversary A plays the role of A and V plays the role of B. Assume that the 
underlying encryption scheme is CA-oblivious, and therefore there exist sim- 
ulators SIM(^s) and SIM(^jpj which satisfy the two CA-obliviousness criteria. 
We define a simulator SIM, running on input /I?y, params), as follows: 

(1) To simulate R’s first message SH-1, SIM sends IDb = IDy together with 
ojb = <5'dM(p)(params), (2) To simulate B's second message SH-3, SIM sends 
respb and chb picked at random, and Gb = S'/M( 5 )(params). 

If A can distinguish a conversation with such SIM from a conversation with 
a true group member V, then by a standard hybrid argument, since the SIM(^s) 
and SIM(^p^ simulators produce messages which are indistinguishable from the 
messages of an honest B, it must be that A distinguishes random values respb 
chosen by SIM from values respb = H{ra,rb,cha) computed by a real player. 
But this can happen only if A makes an oracle query on the triple (ra,rb,cha), 
in which case we can use A, exactly in the same manner as we did in the proof 
of impersonator resistance, to attack the one-way security of the underlying 
encryption scheme. 
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5.1 Three-Round Secret Handshake Scheme 

We can eliminate one communication round in the above protocol using the zero- 
knowledge signature of knowledge [CS97] of the trapdoor t that corresponds to 
the public key PK = Recover {G, I D,uj), which we will denote sigj(m). One can 
easily construct such signatures in ROM if this relation admits a 3-round honest- 
verifier special-soundness proof system [CS97]. The protocol proceeds as follows, 
using the same notation as above: 

1. {B — > A): {IDb,uJh,chb) 

- A computes PKb = Recover{G, IDb,u>b) and c= Encp/f^(ra, sigj^(cft-h)) 

2. {A — > B): (IDa,uJa,chaa,c) 

- B accepts if c decrypts to (ja, sig) where sig verifies as a signature on chb 

under the public key PKa = Recover{G,IDa,uJa) 

3. {B — > A)\ respb = H{ra, cha) 

- A accepts if respb = H{ra, cha) 

In the case of the CDH-based encryption of Section 4, the above signature of 
knowledge is simply a Schnorr signature, and the resulting computational cost 
is one or two exponentiation and one multiexponentiation per player. 
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A Achieving Additional Properties 

A.l Roles 

Our schemes can easily be extended to handle group member roles (as in the SH 
scheme of [BDS+03]), in a way that a member can choose not to reveal anything 
about herself unless the other party is a member with a particular role r (and 
vice versa). This functionality can be provided by modifiying the AddMember 
and Recover procedures as follows: 

- AddMember: takes as inputs params, G, tJC and an arbritary string ID G 
{0, 1}* and returns {ui, t) where t is a trapdoor and w is a public parameter, 
(w, t) are constructed using the string ID\r (instead of ID as in the original 
procedure), where r is the role that the CA is assigning to the user. 

- Recover: takes as input params, G, ID and to (provided by another user B). 
It outputs a public key PK using as input ID\r (instead oi ID as in the 
original Recover procedure), where r is the role that A chooses to have a 
secret hanshake with. 

A. 2 Trapdoor Secrecy 

Since CA computes the user’s trapdoor t, it can impersonate that user. Would 
that be problematic, AddMember can easily be modified to blind the trapdoor if 
in the AddMember protocol the user supplies the CA with b = modp, where 
8 is the user’s temporary secret. The CA can then reply with lo = *b mod p, 
where fc is a random value in Zg, and t' = k-\- H{uj, ID) *ta mod q, and the user 
computes his trapdoor a,s t = t' -\- 6 mod q. 




fc-Times Anonymous Authentication 
(Extended Abstract) 



Isamu Teranishi, Jun Furukawa, and Kazue Sake 



Internet Systems Research Laboratories, NEC Corporation, 

1753 Shimonumabe, Nakahara-Ku, Kawasaki 211-8666, Japan 
teranisiSah. jp.nec . com, j -f urukawaSay .jp.nec.com, k-sako@ab . jp .nec . com 



Abstract. We propose an authentication scheme in which users can be 
authenticated anonymously so long as times that they are authenticated 
is within an allowable number. The proposed scheme has two features 
that allow 1) no one, not even an authority, identify users who have been 
authenticated within the allowable number, and that allow 2) anyone to 
trace, without help from the authority, dishonest users who have been 
authenticated beyond the allowable number by using the records of these 
authentications. Although identity escrow/group signature schemes allow 
users to be anonymously authenticated, the authorities in these schemes 
have the unnecessary ability to trace any user. Moreover, since it is only 
the authority who is able to trace users, one needs to make cumber- 
some inquiries to the authority to see how many times a user has been 
authenticated. Our scheme can be applied to e-voting, e-cash, electronic 
coupons, and trial browsing of content. In these applications, our scheme, 
unlike the previous one, conceals users’ participation from protocols and 
guarantees that they will remain anonymous to everyone. 



1 Introduction 

1.1 Background 

Many applications, such as e-voting [19,21,27,29,32], e-cash [1,9,12,16,30], 
electronic coupons [25,26,28], and trial browsing of content, often need to al- 
low users to anonymously use these to protect privacy. At the same time, these 
applications need to restrict the number of times users can use them. These ap- 
plications have three common requirements. The first is that they should provide 
honest users as much privacy as possible. The second is that they should be able 
to trace dishonest users easily. The third is that they should be able to restrict 
the number of times users can use applications. 

However, if an application provider authenticates each user by receiving the 
user’s signature when the user accesses it, a problem arises in that the provider 
is able to know who is using the application. 

By following the authentication procedure of an identity escrow/group signa- 
ture scheme [2,4,6,7,15,24,22], instead of an ordinary authentication scheme, 
users can be authenticated by the application provider without revealing their 
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ID to it. However, this method also does not fully satisfy all the requirements. 
First, an authority called the group manager can identify honest users. Second, 
providers needs to make cumbersome inquiries of the group manager to trace dis- 
honest users. Third, there is no easy way for the provider to restrict the number 
of times users can use applications. 

1.2 Properties of Proposed Scheme 

We propose an authentication scheme called k- times anonymous authentication 
(fc-TAA) that satisfies the three requirements mentioned in the previous sec- 
tion. An authority called the group manager first registers users in the proposed 
scheme. Each application provider(AP) then publishes the number of times a 
user is allowed to use their application. The registered users can be authenti- 
cated by various APs. 

The proposed scheme satisfies the following properties: 

1. No one, not even the group manager, is able to identify the authenticated 
user, if authenticated user is honest. 

2. No one, not even the group manager, is able to decide whether two authen- 
tication procedures are performed by the same user or not, if the user(s) 
is/are honest. 

3. Any user who was accurately detected as having accessed more than the al- 
lowed number of times can be correctly traced using only the authentication 
log of the AP and public information. 

4. No colluders, not even the group manager, are able to be authenticated by 
an AP provider on behalf of an honest user. 

5. Once a user has been registered by the group manager, the user does not 
need to access the group manager. 

6. Each AP can independently determine the maximum number of times a 
registered user can anonymously access the AP. 

We stress that the group manager of our scheme has less authority than one 
of an identity escrow/group signature scheme. He cannot trace honest users. His 
sole role is registering users. 

The proposed scheme also has directly uses as a k- times anonymous signature. 
We formalize security requirements of fc-TAA, then prove that the proposed 
scheme is secure under strong RSA assumption and DDH assumption. 

1.3 Comparison with Related Work 

Using known schemes, one can construct a scheme that has similar properties to 
ours. However, these schemes have some problems. 

Blind Signature Scheme. Using the blind signature scheme [13], one can con- 
struct a scheme that has similar properties to ours. In each authentication, a 
user receives the group manager’s blind signature and sends this signature to an 
AP. The AP accepts the authentication if the signature sent is valid. However, 
the scheme does not work well when there are multiple APs and their allowed 
number of access times is more than one. 
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Electronic Cash That Can he Spent k-times. Using multi-show cash [9] (i.e., 
electronic cash that one can spend multiple times), we can construct another 
scheme that has similar properties to ours. The group manager plays the role 
of the bank. Before accessing an AP for the first time, a user asks the bank to 
give him digital cash that can be spent k times, where k is the number of the 
access times allowed by the AP. This cash plays the role of a ticket that allows 
users to access the AP, i.e., users send the digital cash to the AP when they are 
authenticated by the AP. 

This scheme, however, has three drawbacks. First, the scheme is not efficient 
in the sense that users must access the group manager every time they access 
a new AP. Second, the group manager can learn which APs each user wants to 
be authenticated by. Third, one can determine whether two payment protocols 
have been performed by the same user or not by comparing the multi-show cash 
that was used in the protocols. 

Electronic Coupon. By using electronic coupons [25] as tickets, instead of elec- 
tronic cash, one can construct another scheme, which also has similar properties 
to ours. This scheme, however, has the same problems that identity escrow/group 
signature schemes have. That is, the group manager can trace honest users, and 
an AP needs to make cumbersome inquiries of the group manager to trace dis- 
honest users. The scheme also has a problem in that one can sometimes determine 
whether two authentication procedures have been performed by the same user 
or not^. 

List Signature and Direct Anonymous Attestation. Independently proposed 
schemes [5] and [11] are similar to ours. However, these schemes are unmatched 
to our purpose. 1) These scheme cannot use two or more times signature. 2) 
A verifier of [5] cannot trace dishonest user without help of an authority. The 
scheme [11] has no way to trace dishonest user. 3) An authority of [5] can identify 
the authenticated user. 

1.4 Applications 

An example of an application of the fc-TAA is trial browsing of content. Each 
provider wants to provide users with a service that allows them to browse content 
such as movies or music freely on trial. To protect user privacy, the providers 
allow users to use them anonymously. To prevent users from using the service 
too many times, the providers want to restrict the number of times that a user 
can access the service. 

This privileged service is only provided to certain group members, say a 
member of the XXX community. The head of this community plays the role of 
the group manager, and registers users on behalf of providers in advance. 



^ Although the authors of [25] claim that no one can determine this, it does not. The 
reason is nearly same as that fc-TAA scheme which an AP is able to know how many 
times nsers accesses to him. See 1) of 3.4. 




fc-Times Anonymous Authentication 311 



The properties of the proposed scheme enables all honest users to browse 
content anonymously for an permitted number, but users who access beyond 
the allowed number of times are identified. 

It can also be applied to voting, transferable cash, and coupons. In the one- or 
multiple- voting scheme constructed with the proposed scheme, a voter computes 
one- or fc-times anonymous signatures on his ballot, and sends these anonymously 
to an election administrator. In this scheme, even authorities are unable to know 
whether a user has voted or not. 

We can add transferability to the electronic cash scheme [9] with our scheme. 
To transfer cash to another entity, the owner of the cash computes a one-time 
anonymous signature on the electronic cash, and sends it with the signature to 
the receiver. Although a transferable electronic cash scheme has already been 
proposed in [16], our scheme has an advantage in that users does not need to 
access the bank each time they transfers cash to another entity. 

One can construct an electronic coupon scheme by applying the fc-times 
anonymous signature scheme directly. Our method has an advantage in that 
even an authority can not trace an honest user while anyone can trace a dishon- 
est user. 

2 Model 

2.1 Entities 

Three types of entities take part in the model, namely, the group manager (GM), 
users, and application providers (AP). The /c-TAA scheme is comprised of the 
following five procedures: setup, joining, hound announcement, authentication, 
and public tracing. 

In the setup, the GM generates a group public key / group secret key pair, and 
publishes the group public key. Joining is done between the GM and user who 
wants to join the group. After the procedure, the user obtains a member public 
key / member secret key pair. A user who has completed the joining procedure 
is called a group member. 

In the bound announcement procedure, an AP announces the number of 
times each group member is allowed to access him. The AP v publishes his ID„, 
and the upper bound fc„. 

An authentication procedure is performed between a user and an AP. The 
AP accepts the user if the user is a group member and has not accessed him 
more than the allowable times. The AP detects and rejects the user if he is not a 
group member, or if he is a group member but has accessed him more times than 
the announced bound allows. The AP records the data sent by the accepted or 
detected user in the authentication log. 

Using only the public information and the authentication log, anyone can 
do public tracing. The procedure outputs some user ID i, “GM”, or “NO-ONE”, 
which respectively mean “the user i is authenticated by the AP more times than 
the announced bound”, “the GM published the public information maliciously 
” , and “the public tracing procedure cannot find malicious entities” . Note that 
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we allow AP to delete some data from the log. Even if a member has been 
authenticated over the number of times, the tracing outputs NO-ONE if the AP 
deletes data about the member’s authentication. 

2.2 Requirements 

A secure fc-TAA must satisfy the following requirements: 

~ (Correctness): An honest group member will be accepted in authentication 
with an honest AP. 

~ (Total Anonymity): No one is able to identify the authenticated member, 
or to decide whether two accepted authentication procedures are performed 
by the same group member, if the authenticated user(s) has followed the 
authentication procedure within the permitted number of times per AP. 
These are satisfied even if other group members, the GM, and all APs collude 
with each other. 

— (Detectability): Public tracing using an honest AP’s authentication log 
does not output “NO-ONE”, if a colluding subset of group members has been 
authenticated beyond the total number of times each colluding group mem- 
ber is able to be authenticated by the AP. 

~ (Exculpability for Users): Public tracing does not output the ID of an 
honest user, even if other group members, the GM, and all APs collude with 
each other. 

— (Exculpability for the GM): Public tracing does not output GM if the 
GM is honest. This is satisfied even if every group members and every APs 
collude with one another. 

Note that these requirements implies the followings: 

~ (Unforgeability): Without the help of the GM or group members, no col- 
luding group non-members can be authenticated as group members. 

— (Coalition Resistance): A colluding subset of group members cannot gen- 
erate a member public key/private key pair, which is not generated in the 
joining procedures. 

— (Traceability): Any member who is detected of having accessed an AP 
predetermined bound can be traced from public information and the AP’s 
authentication log. 

As reasons the unforgeability and the coalition resistance properties are satis- 
fied are almost the same as for the group signature case [7], we have not included 
an explanation. Traceability property is clearly satisfied. 



3 Proposed Scheme 

3.1 Notations and Terminologies 

Let N and Z„ denote the ring of natural numbers and natural numbers from 0 
to n — 1, and QR(n) be the multiple group of quadratic residues of Z„. Let Jix 
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denote a full domain hash function onto set X. Let PR0DF(a; s.t. R{x)) denote 
the proof of knowledge of x that satisfies the relation R{x). We call prime p 
a safe prime if {p — l)/2 is also a prime number. We call n a rigid integer if 
natural number n can be factorized into two safe primes of equal length. Let G 
be a group with known order q, on which DDH problem is hard to solve. For 
simplification, we assume the bit length of q is equal to a security parameter n. 

3.2 Key Ideas 

The proposed scheme is a modification of a group signature scheme. The GM is 
disabled from tracing an honest member, and anyone can identify who accessed 
over a number of times. Say an AP wishes to set the bound at k. Every time a 
member wants to be authenticated by the AP, he computes k intrinsic basis B\, 
. . ., Bk of AP which is called a tag base, then picks a tag base Bi which he has 
not used before. As long as the member uses different tag bases, he will not be 
identified. However, if he used the same tag base, anyone can identify who used 
the tag base twice. 

3.3 Summary of Proposed Scheme 

Let G be a group on which DDH problems are hard to solve. In the setup, the 
GM publishes a rigid integer n, elements a, oq Gu QR(n), and an element b of 

G. 

In joining, the a user and GM compute a member public key/secret key pair 
{{A,e),x) such that an equation a^ao = A® is satisfied, x and e are elements of 
some previously determined intervals, and e is prime, and add 6“ and his ID to 
public list, which is called identification list. 

A tag base is a pair {t, t) of elements of the group G. They must be a hash 
values of some data, to prevent to be known the discrete logarithm of each others. 
In each authentication, an AP sends random number f to a member, then the 
member sends back a tag (t, f ) = {t^ , (b^t)^) with a validity proof. If the member 
does not have computed two tags using the same tag base, no one is able to trace 
that user, since DDH problem on G is hard to solve. However, if the member 
computes another tag = {t^,{b^ t)^) using the same tag base, AP can 

search these from his authentication log since these satisfy r = r', and one can 
compute ^ ^ identification list 

preserves user ID which corresponds b^ , one can identify the member. 

3.4 Concerns 

To construct the scheme we propose, we need to consider the followings: 

1) If an AP is able to know, w, the member accesses to him, the total anonymity 
property is not satisfied. Suppose the number of times, wi, that member Mi has 
accessed to an AP does not equals the number of times, W 2 , that member M 2 
has accessed to the same AP. If w ^ wi is satisfied, the AP can affirm that the 
member is not Mi. 

2) If one can know the discrete logarithm of two tag bases, one can identify mem- 
bers using the equation (3 = Here, /3 is a part of the public key 
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of a member, fi and 72 are second coordinate of tags computed by the member 
using tag bases ti and t 2 which satisfy ^2 = Similerly, If are 

satisfied, a user who know Xi can perform as a user who know X 2 

3) An AP can add false data to the log. 

4) In joining, a secret key x of a member must be selected randomly, since “one 
more unforgeability” of member key pair is assured only if the condition is sat- 
isfied. (See Lemma 2). 

5) In joining, a user must add b^ to the identification list before he know {A, e). If 
a user can know {A, e) before he adds b^, he can stop the joining procedure, and 
get a member key pair (x, (A, e)) such that 6“ is not written in the identification 
list. Therefore, he can be anonymously authenticated any number of times since 
6“ is needed to tracing procedure. 

6) As a similar reason plain signature schemes needs CA, the proposed scheme 
needs some mechanizm to assure the correctness of the correspondence between 
each entity and his public key. 

7) If G is unknown order group, the number of exponentiations of public trac- 
ing is linear to the size of members. In this case, since one cannot compute 

\ one must cumbersomely compute for each element (3 of 

the identification list and then check whether '> = f/r' is satisfied. 

To avoid attacks of 1), . . ., 5), we construct the proposed scheme which 
satisifes the following: 1) the validity proof conceals w, 2) tag bases are hash 
values of some data, 3) an authentication log contains validity proofs which 
members have computed, 4) x is randomized by the GM, and 5) 6“ is added to 
the identification list before the GM computes A = mod n. 

To avoid attacks of 6), we assume the GM’s public key is distributed by some 
trust entity. Additionally, we assume some assumption about the identification 
list, to assuer the correspondence between each member and his public key. See 
4.2 for more detailed discussion. 

To avoid inefficient tracing descibed in 7), we set G as a known order group, 
especially G yf QR(n). 

3.5 Description of Proposed Scheme 
PARAMETERS 

The security parameters of our scheme are n, e, /i, and k. Let A and 7 be 
parameters which are determined by the security parameters. (See Section 5 for 
a detailed description). We set A, P as sets of integers that were in (0,2-^) and 
(2''', 2'*' -I- 2"^) respectively. Let {GKl^gN be a set of cyclic groups with a known 
order. Let G be G«. 

The parameters v, e, p,, and k respectively control the difficulty of solving 
flexible RSA problem (the problem is also called strong RSA problem) on Z„, 
the tightness of the statistical zero-knowledge property, the soundness of the 
scheme, and the difficulty of solving DDH problem on G. We set, for example, 
iz = 1024, e = p = K = 160, and set G as an elliptic curve group. 
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SETUP 

1. The GM randomly chooses 2j^-bit rigid integer n. Then, it randomly chooses 
/r-bit string and computes {{a\a'o),h) = Hz^ 2 xg(-Rgm) and (a,ao) = 
mod n G QR(n)^. The group secret key is {pi,P 2 ) and the group 
public key is (n, _Rgm 7 cl, oq, b). 

JOINING 

1. User Uj selects x' Gjj A, and sends its commitment C to the GM with a 
validity proof. 

2. The GM verifies the proof, and sends x" Gj/ A to Uj. 

3. User Ui confirms that x" G A is satisfied, computes x = {{x’ + x") mod 2"^) 
and (a, /?) = (a“ mod n, b^), and then adds new data (i, /?) to the identifica- 
tion list LIST. Then, Uj sends {a,f}) to the GM with a validity proof. 

4. The GM verifies (i, (3) is an element of the identification list, and the proof is 

valid. Then, the GM generates a prime e Gc/ F, computes A = mod 

n, and sends (A, e) to user U^. 

5. User Ui confirms that equation ai^aQ = A® mod n is satisfied, e is a prime, 
and e is an element of F. The new member Uj’s secret key is x, and his 
public key is (a. A, e, /?). 

BOUND ANNOUNCEMENT 

1. AP V publishes (lDv,fcv)- Here, IDy is his ID. 

Let (U,U) = 7fG2(lDv,fcv,l), ■•7 {tkY,iky) = HG^{Wv,kv,kY). We call 

{tw,iw) the ic-th tag base of the AP. 

AUTHENTICATION 

1. Member M increases counter CiDv.fcv • H value w of counter Cidv,/cv is greater 
than k\, then M sends _L to V and stops. 

2. AP V sends random integer (. & jj [0, 2^+“^] n N to M. 

3. Member M computes tag (r, f) = {t^,{b^iwY), using M’s secret key x and 
the w-th tag base (tw,iw), computes proof (r, f) is correctly computed, and 
sends (t, f) and the validity proof to V. 

4. If the proof is valid and if r is different from all search tags in his authenti- 
cation log, V adds tuple (r, f , £) and the proof to the authentication log LOG 
of V, and outputs accept. 

PUBLIC TRACING 

1. From LOG, one finds two data (r, f, £, PROOF) and (r', f', PROOF') that sat- 
isfy T = r' and i yf F, and that PROOF and PROOF' are valid. If one cannot 
find such data, then one outputs NO-ONE. 
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2. One computes (3' = = (^(^b^i)^ /(b ^' = b^, and searches 

pair {i, (3) that satisfies (3 = (3' from the identification list. Then, one outputs 
a member’s ID i. If there is no such (i,f3), then one affirms that the GM has 
deleted some data from the identification list, and outputs GM. 

3.6 Details 

• setup. 

- The GM must additionally publish 1) {g, h) Gu QR(n)^, which shall be used 
by users to compute commitment C in joining, 2) a zero-knowledge proof 
that n is a rigid integer, and 3) a zero-knowledge proof that {g, h) is an 
element of QR(n). The GM provides the proof 2) using the technique of 
[10], and provide the proof 3) by proving knowledge of {g', h') € which 
satisfies (g'^, h'"^) = {g, h) mod n. 

• joining. 

- At step 1, the user must compute ((a',ag),6) = Hz„ 2 xg(-Rgm), and verify 
equation (a, oq) = (a'^, a'p^) mod n, and the proofs. 

- Gommitment C is h‘^ mod n. Here s' is a {2v + e)-bit random natural 
number. 

- The formal description of validity proofs of step 1 and 3 are, respectively, 

PRODFi = PR00F((i', s') s.t. x' € A A C = g'" mod n) and PRODF 2 = 
PR00F((i, 0, s'), which satisfies the (a), . . ., (d) below.), where (a) x G A, 
(b) a"'’ = a mod n, (c) Cg^ = g'"{g^^Yh'^ mod n, and (d) = (3. These 

proofs must be statistically zero knowledge on security parameter e. We have 
omitted a detailed description of proofs. See [8] for the proof that committed 
number lies in the interval. 

• authentication. 

- At step 4, if the proof is invalid, V outputs reject and stops. If t is already 

written in the identification list, V adds tuple and the proof to the 

LOG of the AP, outputs (detect, LOG) and stops. 

- The proof of step 3 is rather more complex. Its details are described in the 
full version of this paper. 

3.7 Efficiency 

The proposed scheme satisfies the followings: 

- (Compactness). The GM is able to add new members to the group without 
modifying any keys which was previously generated. In particular, the size 
of the member’s key pair does not depend on the group size. 

- Once a user has been registered by the GM, the user does not need to access 
the GM. 

- Each AP is able to solely determine the bound of himself. 

- The computational cost of authentication is (P(A:v). However, if G is taken 
as an elliptic curve group, the factor which depend on fcy is small, since the 
exponentiation on G is faster than that on Z„. 

- The number of exponentiations of public tracing is independent of the size 
of an authentication log and the identification list. 
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3.8 Variants of Proposed Scheme 

1) Although the proposed scheme merely restricts the number of authentications, 
one can construct, using the “and/or” -proof technique, a scheme such as “a trace 
procedure identifies a user if and only if the user is authenticated either 1) k\ 
times from AP Vi or 2) k 2 times from AP V2 and k^ times from AP V3”. 

2) By changing a data in LIST from (i,/3) to , one can construct 

a fc-TAA scheme in which no one, except a member himself and the GM, can 
detect who is a member of the group. Here, is a hash function and £ is a 
symmetric encryption scheme. To trace dishonest user, one computes (3 as in 
the proposed scheme, and then computes searches (h,e) from LIST that 

satisfies h = H{(3), and decrypts e. 

4 Formal Security Requirements 

4.1 Notations 

We describe the five procedures for a fc-TAA scheme as SETUP, JOIN = (Z^join-gM) 
WjoiN-u), BOUND-ANNOUNCEMENT, (abbrev. BD-ANN), AUTH = (Z^auth-u, ^auth-ap), and 
TRACE. The procedures A/jqin-gm and A/join-u (resp. f^Aurn-AP and A/auth-u) are what 
the GM and user (resp. AP and user) follow in joining (resp. authentication). 
Let (gpk, gsk) and (mpk, msk) denote the public key/secret key pair of group 
manager and member respectively. 

4.2 List Oracle Model 

We must assume the existence of an infrastructure which enables to assure the 
correct correspondence between each member and his public key to formalize 
the security requirements. If we do not assume such thing, no scheme satisfies 
the exculpability properties for users as in a group signature case [7]. One of a 
such infrastructure is a PKI, but a formalization on the PKI model is rather 
complicated, since it must include description of the signing oracle, what an 
adversary can do in a PKI key setup, etc. To simplify, we introduce new model 
list oracle model. In the model, it is assumed the existence of a list oracle (Plist, 
which manages the identification list^ LIST. The oracle (Plist allows anyone to 
view any data of LIST. However, it allows entities to write data (i,mpkj) to LIST 
only if the entity is user i or i’s colluder and to delete data of LIST only if the 
entity is the GM or GM’s colluder. We need to stress that even the GM cannot 
write data (i,mpkj) without colluding with the user i, and even user i cannot 
delete data (i,mpkj) without colluding with the GM. A more formal definition is 
described in Figure 1, where A is a set of entities which collude with an entity 
who accesses to (Plist 

Note that a scheme on the list oracle model can he easily transformed into 
a scheme on the PKI model, by changing (z,mpkj) to (mpkj, cri(mpkj)) and LIST 



^ Although the LIST of the proposed scheme stores a parts of public keys, (3, we deal 
with the case LIST stores the whole public key, to simplify. 
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to (LIST, ctgm(LIST)). Here, fTi(-) is a signature of an entity i. The authority of 
the GM in the list oracle model to delete data from LIST corresponds to the 
authority of the GM in the PKI model to publish (LIST', (Tgm(LIST')) in spite of 
(LIST,( 7 gm(LIST)). Here LIST' = LIST \ {(mpk^, cr*(mpk,))}. 

4.3 Experiments 

An adversary is allowed the following in experiments on security properties: 

— If an adversary colludes with the GM, the adversary can maliciously execute 
SETUP and f^joiN-GM(gpk,gsk). 

— If an adversary colludes with a user i, the adversary can maliciously execute 
^joiN-u(gpk, i) and f^AUTH-u(gpk, msk) where msk is a secret key of i. 

— If an adversary colludes with an AP, the adversary can choose the public 
information (ID, k) of the AP and maliciously execute f^AUTH-Ap(gpk, (ID, k)). 
Moreover, the adversary can use different AP information (ID, k) for each 
authentication . 

— An adversary is only allowed to execute many joining and authentication 
procedures sequentially. 

Total Anonymity. An adversary is allowed to collude with the GM, all APs, and 
all users except target users i\ and 12 - It is also allowed to authenticate the oracle 
C’query(6, gpk, (ii, 12 ), (ID, fc), (d, •)) once only for d = 0,1. If it sends (d, M) to 
C’ QUERY, oracle Oquery regards M as data sent by a member and executes Z^auth-u 
using the key pair of user Z{, 0 d+i and the APs public information (ID, k). Recall 
that fc-TAA schemes provide anonymity only if a member has been authenticated 
less than the allowed number of times. Therefore, the adversary must authen- 
ticate user ii or %2 using (ID, fc) within k times. If the adversary keeps to the 
rule and outputs b, the adversary wins. See Figure 1 for the formal definition of 
C’query- Here, S'query is a set, using which Oquery memorize the session IDs. 

Gontrary to [7, 22] , the secret key of the target users is not input to an 
adversary. If the secret keys is input to an adversary, the adversary is able to 
determine b as follows: it colludes with AP publishing (ID, fc), authenticated 
k times from the AP using zi’s secret key, and obtains the log LOG for the 
authentications. Then, it communicates with OquERY(d, gpk, ( 11 , 12 ), (ID, k), (0, •)) 
and obtains the log L of the authentications. Secret b equals to 0 if and only if 
TRACE‘^“®''(®’')(gpk, LOG U {A}) = ii is satisfied. 

Detectability . An adversary is allowed to collude with all of group members. If 
the adversary succeeds in being accepted by some AP in more than kn authenti- 
cations, the adversary wins. Here, k is the number of times the AP allows access 
for each user, and n is the number of users who collude with the adversary. 

Exculpahility (for users, and for GM). An adversary is allowed to collude with 
all entities except the target entity. If the adversary succeeds in computing the 
log with which the public tracing procedure outputs the ID of the target entity, 
the adversary wins. 
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(cj)*** 

(gpk, St) ^ A(1‘^) 

5' ^ _2^C'LisT({»l,i2}“,'),OjoiN-n(KP'=. )>C'jOT„-„{gpk,.),ei,oERY(l>,gpl5,(ji,i2),(IC,fe),(','))|'g^^ 

If (OquERY has output OVER) Return T. 

Return b' . 


Parse M as (command, i,mpk). 

If(command = view and mpk =“-”) 

If(^mpk' s.t. (j,mpk') G LIST) 

Return mpk'. 

If(command = add) 

If(i G X and ^mpk' s.t. (i,mpk) G LIST) 
LIST^ LIST U{(i, mpk)}. 

Else if(command = delete) 

If (GM G X) LIST ^ LIST \ {(i, mpk)}. 
Return T. 


***Exp(^®“®(w)*** 

(gpk,gsk)V SETUP(1‘") 

^C?LIST({GM}*^!-)!*^J0IK-GM(SPkigsk,-),Oj^uTH-Ap(gP^’‘c) 

If (^(ID,fc) G Sauth-ap s.t. #L0GiD,fc > k ■ #LIST) 
Return TRACE®“=" f (gpk, LOGiu, t ) . 

Return T. 


(gpk, St) ^ ^(1*^). 

LOG ^ _4®i.isT{{ii}‘',-),CljoiB-u(EPk,-),OAUTH-n(sP>=.')(S(;)^ 
Return TRACE®™F0, )(gpk Lqq) 


* * * Expy}}®‘^’ (oj) * * * 

(gpk,gsk)V SETUP(r) 

LOG ^ _4C>l.lST{{0M} = ,.),eij„„_j„{gpk,gsk,.)^^^^ 

Return TRACE®™F0. )(gpk lqq) 


***OquERY(fe, gpk, (ii, * 2 ), (ID, k){d, M))*** 
If(d f: {0, 1}) Return T. 

If(^sid s.t. (d, sid) G Squery) 

Choose new session ID sid 
which has been ever used. 

SquERY <— Squery U {(d, sid)}. 

Return 

OAUTH-u(gpk, (sid, ii+(6®d), (ID, k)\\M)). 


Comments: 

1. To simplify, we abbreviate 
the hash oracle On- 

2. C>AUTH-u(gpk, (-,1, •)) outputs OVER 
if A authenticate user i 

more than allowed number of times. 



Fig. 1. The oracles and the experiments 



Figure 1 denotes the experiments, formally. Ojoin-gm, C’join-u, C’auth-u, and 
C^AUTH-AP are the oracles that manage and execute multiple sessions of Z^join-gM) 
^joiN-u, ^AUTH-u, and f^Aurn-AP respectively, and w is the security parameter. The 
set S'auth-ap contains all AP’s information that was used by Oauth-ap, and LOGjo^fc 
is the log of authentications engaged by Oauth-ap using AP’s information (ID, k). 
See the full version of this paper for a formal definition of the oracles. 



4.4 Definition 

Definition 1. Let uj he a security parameter, A be an adversary, b be an ele- 
ment o/{0,l}, ii and he natural numbers, and (lD,fc) is a some AP’s public 
information. 

= | Pr(Exp™-(°’('^ (cc) = 1) 

— Pr(Exp^^^ negligible for security parameter co for 

all (A, ti, 12, (id, fc)), we say a k-TAA scheme satisfies total anonymity. 

If = Pr(Exp^®^*®(w) = NO-ONE) is negligible for security pa- 

rameter u) for all A, we say a k-TAA scheme satisfies detectability. 
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If = Pr(Exp^^^^ (w) = ii) is negligible for security pa- 

rameter oj for all {A,i-i), we say a k-TAA scheme satisfies exculpability for 
users. 

If ™(<^) = Pr(Exp^^.^^^“™(a;) = GM)) is negligible for security 

parameter oj for all A, we say a k-TAA scheme satisfies exculpability for users. 



5 Security of Proposed Scheme 

To prove the security of the proposed scheme, we use two key lemmata. First, 
since each member generates element of QR(n) and element b^ of G using 
the same x, we must be particularly concerned about secrecy. We will prove the 
difficulty of a variant in the DDH problem, where two components of a DH-tuple 
are elements of QR(n) and the other two components are elements of G: 

Lemma 1. (Separation Lemma) Let a be an element o/QR(n), and b be an el- 
ement ofG. Then, the following two distributions are statistically indistinguish- 
able: 1) the distribution of (a“ mod n,b^) € QR(n) x G, where x is randomly 
chosen from A, and 2) the distribution of {a, (3) G QR(n) x G, where a and (3 
are randomly chosen from QR(n) and G respectively. 

Since |yl| is e times greater than |QR(n) x G|, the variation distance between 
the two distributions is less than 1/2^, and therefore. Lemma 1 holds. Note 
that, if we injudiciously choose a narrow A, the security of the proposed scheme 
will rely on a non-standard assumption that those two distributions will still be 
computationally indistinguishable. 

Detectability and GM’s exculpability of the proposed scheme depends on 
“one more unforgeability” of a {{A,e),x): 

Lemma 2. If a) a member’s secret key is randomly generated in each joining 
procedure, and if b) for all x G A and e G T, x < e is satisfied, then no adversary 
can generate a (x,A,e) which satisfies o^oo = A^, x G A, and e G T, and which 
has not been made in the joinings. 

The proof for Lemma 2 is almost same as the proof for Theorem 1 of [2]. 

The proposed scheme satisfies the conditions for Lemma 2. Conditions a) and 
b), respectively, follow the method of choosing x in the joining procedure, and 
the choice of (A, 7 ). 

Using these lemmata, we can prove the security of the proposed scheme. See 
the full version of this paper for the detailed proof. 

Theorem 1. Let X be2u-\-K-\-s, and^ be X-\-yi-\-e-\-'&. Then, the proposed scheme 
on list oracle model satisfies the security requirements of Definition 1 under the 
strong RSA assumption, the DDH assumption on {Gk.}, and the random oracle 
assumption. 
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Abstract. The “XL-algorithm” is a computational method to solve 
overdetermined systems of polynomial equations which is based on a 
generalization of the well-known method of linearization; it was intro- 
duced to cryptology at Eurocrypt 2000. 

In this paper, we prove upper bounds on the dimensions of the spaces 
of equations in the XL-algorithm. These upper bounds provide strong 
evidence that for any fixed finite field K and any fixed c € N the median 
of the running times of the original XL-algorithm applied to systems of 
m = n+c quadratic equations in n variables over K which have a solution 
in K is not subexponential in n. In contrast to this, in the introduction 
of the original paper on XL, the authors claimed to “provide strong 
theoretical and practical evidence that the expected running time of this 
technique is [. . .] subexponential if m exceeds n by a small number” . 

More precise upper bounds on the dimensions of the spaces of equa- 
tions in the XL-algorithm can be obtained if one assumes a standard 
conjecture from commutative algebra. We state the conjecture and dis- 
cuss implications on the XL-algorithm. 

Keywords: Cryptanalysis, algebraic attacks, overdetermined systems of 
polynomial equations, extended linearization, Froberg’s Conjecture. 



1 Motivation and Introduction 

The security of many cryptographic systems would be jeopardized if one could 
solve certain types of systems of polynomial equations over finite fields. For 
example, it has been pointed out in [8] that one can with a high probability 
recover an AES-128 key from one AES-128 plaintext-ciphertext pair if one can 
solve certain systems with 1600 variables and 8000 quadratic equations over F 2 , 
and it has been pointed out in [14] that one can achieve the same goal if one can 
solve certain systems with 3986 variables and 3840 (sparse) quadratic equations 
as well as 1408 linear equations over F 28 . 

Of particular importance for cryptological applications are so-called overde- 
termined (or overdefined) systems of quadratic equations as for example the ones 
we just mentioned. Let us consider a system of quadratic polynomial equations 

/i(Ai,...,A„) = 0, ... , /™(Ai,...,A„) =0 , (1) 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 323-337, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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where the fj are polynomials in n indeterminates Xi, , X„ over an “effective” 
field K (the field being finite in the cryptological applications). We say that the 
system is overdetermined if the dimension of the Jf-vector space generated by 
the fj is greater than n. 

In [7], Courtois, Klimov, Patarin and Shamir propose a computational method 
called extended Linearization (XL) or XL-algorithm to solve such systems of 
polynomial equations (see the next section for a description of the method). In 
the same paper certain heuristics on the running time of this method are stated. 
These heuristics have subsequently been criticized by Moh ([13]) as being too 
optimistic, and in Sect. 4 of [13], the method is analyzed with heuristic upper 
bounds on the dimensions on the spaces of equations in the XL-algorithm. As 
however the assumptions on which the heuristic in [13-Sect. 4] relies are not very 
precisely stated, the question whether this heuristic or the original heuristic is 
more credible remained an open problem among cryptologists. In a recent work 
by Chen and Yang ([4]), the heuristic of [13-Sect. 4] is stated as a special case 
of a theorem ([4-Theorem 2]).^ However, the proof of [4-Theorem 2] (and of 
[4-Theorem 7]) has some serious flaws. 

The main purpose of this paper is to show that under the assumption of a 
widely believed conjecture of commutative algebra, one can indeed derive the 
non-trivial upper bounds on the dimensions of the spaces of equations in the 
XL-algorithm conjectured by Moh and stated in [4-Corollary 6, 1] (see Theorem 

1 in Sect. 5 for a more general statement). Moreover, we state upper bounds on 
the dimensions of the spaces of equations in the original XL-algorithm which 
can be proven without the assumption of this conjecture. These upper bounds 
provide strong evidence that for any fixed finite field K and any fixed c G N the 
median of the running times of the original XL-algorithm applied to systems of 
m = n -|- c quadratic equations in n variables over K which have a solution in 
K is not subexponential in n (see the next section for details). 

2 The XL- Algorithm and Our Analysis 

Let us fix the system of quadratic equations (1) which we assume to have a 
solution in K and some D gN. The main idea of the XL-algorithm is to try to 
solve (1) by linearization of the system of all polynomial equations 

k 

n^*.-/,(^l,-.-,^n)=0 , (2) 

where k < D — 2. 

i~rk 

Let Ud be AT-vector space generated by the polynomials • fj with 

k<D-2. 

According to [7-Definition 1], the XL-algorithm is as follows. (Except for 
changes in the notation, the description is verbatim.) 



^ Theorem 2 of [4] is equivalent to the heuristics of [13] if D < g as can be seen by 
expanding the polynomial in item 1 of Corollary 6 in [4]. 




The XL- Algorithm and a Conjecture from Commutative Algebra 325 



The XL- Algorithm. Execute the following steps: 

1. Multiply: Generate all the products Y[e=i ' fj ^ with k < D — 2. 

2. Linearize: Consider each monomial in Xi of degree < D as an independent 
variable^ and perform Gaussian elimination on the equation obtained in 1. 
The ordering on the monomials must be such that all the terms containing 
one [specific] variable (say Xi) are eliminated last. 

3. Solve: Assume that step 2 yields at least one univariate equation in the pow- 
ers of X\. Solve this equation over the finite fields (e.g. with Berlekamp’s 

algorithm).^ A 

4. Repeat: Simplify the equations and repeat the process to find the values of 
the other variables. 

Remark 1. In the description of the method in [7], it seems that D is fixed 
beforehand. As the authors do however not say how D should be determined, 
it seems to be reasonable to assume that the authors of [7] had in mind that 
D is in fact a variable which is small (e.g. 2) in the beginning, and that the 
the XL-algorithm goes to Step 1 with an incremented D whenever in Step 3 no 
univariate equation in X\ with a solution in K is found. 

Remark 2. In an “extended version” ([6]) of [7], the description of the method is 
the same as the one in [7] (and the one we present here) except that the authors 
have inserted the sentence “In all the following notations we suppose the powers 
of variables taken over K, i.e. reduced modulo q to the range 1, . . . ,q — l because 
of the equation a® = a of the finite field iC.” after the third paragraph of Sect. 
3. (But the field is not assumed to be finite in the second paragraph of Sect. 
3 and the number q is not mentioned before.) Apart from this insertion, there 
is no substantial difference between Sect. 3 to 7 of [7] and of [6]. Of course, if 
one identifies the monomials nLi and XI ■ rifci the method becomes 
much faster if q, the field size, is small, g = 2,3,4, 5 say. According to the way 
the heuristics in Sect. 6 of [7] and [6] were conducted, this identification was 
however not made in the heuristic analysis of [7] and [6]. 

Definition 1. We call the above computational method the original XL-algo- 
rithm. The variant introduced in [6] is called reduced XL-algorithm. 

Remark 3. Whereas the original XL-algorithm should only be applied to overde- 
termined systems of (quadratic) polynomial equations, if the field is finite and 
not too large, it makes sense to apply the reduced XL-algorithm to any system 
of (quadratic) polynomial equations. 



^ The authors of [7] obviously mean that each monomial of degree < D should be 
considered as a new variable. 

® Note however that according to the second paragraph in [7-Sect. 3], the ground field 
is not necessarily finite. 

^ It should be avoided to repeatedly select univariate polynomial equations which 
have more than one solution in K. Moreover, if a univariate polynomial equation is 
found which does not have a solution in K, the method should terminate and output 
“unsolvable” . 
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Remark 4- Neither of the two computational methods terminates for every input 
(even if they are only applied to overdetermined systems which have a solution 
in K); thus in contrast to their names, they are not algorithms (not even ran- 
domized algorithms) in the usual sense (cf. [11-Chapter 1, 1.1]). 

As we will see in the next section, there is a strong connection between the 
original and the reduced XL-algorithm (see Proposition 1). Because of this con- 
nection, one can use an analysis of (a generalization of) the original XL-algorithm 
to analyze also the reduced XL-algorithm (see Theorem 1 and Corollary 1). In 
order to state the main ideas of our analysis and to compare our results with the 
conjectures of [7], in this section, we concentrate on the original XL-algorithm. 

For L> G N, let K[Xi, . . . ,Xn]<D be the AT-vector space of polynomials in 
Xi,. . . , Xn of (total) degree < D, and let 



X{D) := dimK{K[Xi,. . . ,Xn]<D) - dimKiUo) ■ (3) 



One can surely obtain a non-trivial univariate polynomial by (Gaussian) elim- 
ination on (2) if x{D) < D. (This is because the AT-vector space K[Xx]<d has 
dimension A> -|- 1, thus if x{D) < D, then dm\K{UD) + dm\K{K[Xi]<D) > 
dim/f (AT[Ai, . . . , A„]<d), and this implies that C/d C AT[Ai]<d yf {0}.) In order 
to analyze the running time of the XL-algorithm, it is of greatest importance to 
study the question for which D one can expect this condition to hold (if such a 
D exists at all). We thus define Umin be the minimal D with x(I?) < D (if no 
such D exists, we set Umin = oo). 

The starting point for our analysis of the XL-algorithm is the interpretation 
of the original XL-algorithm via the theory of homogeneous polynomial ideals 
pointed out by Moh ([13]). This interpretation opens the door for the usage of 
well-established methods from commutative algebra - the keywords are Hilbert 
Theory, Hilbert functions, Hilbert series and Hilbert polynomials. 

A crucial observation is that in order to derive lower bounds on x(I?) (i.e. 
upper bounds on dim/f (C/d)) it suffices to study the dimensions of the homoge- 
neous parts of algebras defined by generic systems of homogeneous polynomials. 
(This notion will be made precise in Sect. 4.) For m < n -I- 1, these dimensions 
are known, and this information suffices to prove that for m = n -I- c, c > 1, 



Dr. 



'J c — 1 -|- 1 



( 4 ) 



(see Proposition 6.) In contrast to this inequality, it was suggested in [7-Sect. 
6.4] that “even for small values of c”, c > 2, one has 



Dr. 



In . 



( 5 ) 



Let us fix the field K and c > 2 and study the asymptotic behavior of the 
running time of the original XL-algorithm for n — > oo (and m = n + c): If (5) 
was true, the XL-algorithm in [7] would have a running time (in field operations) 
which is suhexponential in n. (This hope was expressed at the end of Sect. 6.1 of 
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[7] as well as at the end of the introduction of [7].) However by (4), the running 
time of all instances for which Ud n K[Xi]^jj = {0} for all D < -Dmin is not 
subexponential in n. 

If AT is a finite field and # AT and n are not “too small” it seems very reasonable 
to expect: Under all systems (1) which have a solution in AT, the portion of 
systems for which Ud H K[Xi]<d ^ {0} for some D < Dmin is negligible. This 
suggests that for any fixed c > 1 the median of the running times of the original 
XL-algorithm applied to systems of m = n-|-c quadratic equations in n variables 
over K which have a solution in K is not subexponential in n. The hope stated 
at the end of Sect. 1 of [7] that “the expected running time of this technique is 
... subexponential if m exceeds n by a small number” should be abandoned. 

For c > 3, much more precise lower bounds on Dmin then the ones in (4) 
can be obtained if one assumes a certain conjecture which implies what the 
dimensions of homogeneous parts of algebras defined by generic systems of ho- 
mogeneous polynomials should be (see Sect. 5). This conjecture - which is now 
approximately 20 years old - states that certain linear maps are either injective 
or surjective, that is, they have maximal rank. Because of this, we speak of the 
maximal rank conjecture (MR- conjecture). 



3 A Generalization of the Original and the 
Reduced XL-Algorithm 

The original as well as the reduced XL-algorithm of can easily be general- 
ized to more general than quadratic systems of polynomial equations (see also 
[5-Sect. 2]). 

For these generalizations, we start off with a system of m polynomial equa- 
tions 

/i(Xi,...,X„) = 0, ... ,/™(Xi,...,X„) =0 . (6) 

The generalization of the original XL-algorithm works just as the original XL- 
algorithm stated in the previous section with the difference that for some D G 
N, one applies Gaussian elimination to the linearized system of all polynomial 
equations ^ 

nX,,-/,(Xi,...,X„) = 0 , (7) 

i=i 

where k deg(/, ) < D. 

Clearly, the reduced XL-algorithm can be generalized in a similar manner. 
From now on, we refer to these generalizations also as the “original” and the 
“reduced” XL-algorithm. 

Let us fix the following notations. 

— As in the previous section, let 

Ud ■■= ( nLi ■ fj(Xi,..., X„) with k< D- deg{fj))K (8) 




328 



C. Diem 



— and 

X(-D) := dim/f(ii:[Xi, . . . ,X„]<_d) - dim/f(C/i)) . (9) 

Let K = Fq. 

— If / G K[Xi, . . . ,Xn]<D, we denote by the “reduction” of /, i.e. 

is the polynomial obtained by maximally reducing all exponents in the 
monomials according to the relations nil - XI ■ nti = 0. Note 
that (. . is a homomorphism of iL-vector spaces and that < 

{K[Xi, . . . ,Xn]<Dy^^ is the space of equations generated in the reduced 
XL-algorithm. 

— In order to analyze the reduced XL-algorithm, we set 

:=dim^((iL[Xi,...,X„]<c)'-'='i)-dim;^((C/i5)’'"‘') • (10) 

— Let I/d be defined just as C/d with respect to the system of m-|-n polynomials 
/i) • • ■ ) fm, Xf — Xi,. . . , X^ — Xn, and let x(^) be defined as x(-D) with 
respect to C/d • 

The proof of the following proposition can be found in Appendix A. 

Proposition 1. We have = x{D). 

Because of this proposition, the results on the original XL-algorithm can 
easily be carried over to the reduced XL-algorithm. What remains is to derive 
non-trivial lower bounds on x{D). 



4 The XL- Algorithm and Hilbert Theory 

In the following discussion, we assume that the reader is familiar with basic 
notions of commutative algebra as can for example be found in the first three 
chapters of [1]. 

As mentioned in Sect. 2, our analysis of the XL-algorithm relies on an in- 
terpretation via homogeneous polynomial ideals. The main idea is to consider 
(for some field K, some n G N and some I? G N) the homogeneous polynomials 
of degree D in n + 1 variables instead of the polynomials of degree < D in n 
variables. 

Let K be an arbitrary field, n G N, and let /i,...,/„ G A'[Xi, . . . , A„]. 
We use the notations of the previous sections, and additionally we denote by 
AT [Wo, . . . , W„]d the AT-vector space of all homogeneous polynomials of degree D. 
More generally, for any positively graded A'[Wq, . . . , A„]-module M, we denote 
the homogeneous part of degree D of M hy Mo- 

Let Fj G AT[Ao, . . . , W„] be the homogenization of fj, that is, Fj is the 
unique homogeneous polynomial in AT[Ao, . . . , W„] of the same degree as fj with 
F,(l,Wi,...,W„) = /,(Wi,...,W„). 

Let 



<C>: W[Wi,...,W„]<D 



W[Wo,...,W„]d 
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be the “degree D homogenization map”, that is, the iC-linear map given by 

k k 

e=i e=i 

Then under the isomorphism <P, the iC-vector space Ud corresponds to 

k 

Fj{Xo, Xi, . . . , with k = D- deg{F,))K , 

e=i 

where the products are taken over the variables Xq, . . . , This space is nothing 
but the homogeneous component of the homogeneous ideal 

/:= <iC[Xo,...,X„] , 

denoted Id- We have 

X{D) diu\K{K[Xi, . . . , Xn]<D) - dim/f ([/d) 

= dim/f (AT[Xo, . . . , AT„]d) - dim/f (Id) 

= 6itiik{K[Xq, . . . , Xn]D/lD) 

= dim;f((iC[Xo,...,X„]//)z5) . 

Let R ■-= K[X(j, . . . ,Xn\- Recall the following definitions (see e.g. [16-Sect. 

!])• 

Definition 2. Let M = ® he any finitely generated positively graded 

R-module. Then the function 

Am : No — > No, xm(*) := dimK(Mi) 

is called the Hilbert function of M . 

The power series with integer coefficients 

Hm ■■= Y. Xm(z)T* 
ieNo 

is called the Hilbert series of M. 

Note that the above equation (11) states that 

X(D) = Xr/i{D) for all D e N . (12) 

Let us denote by X- the monomial corresponding to the multiindex i G 
Nq°’ T he following definition can be found in [10]. 

Definition 3. A form (i.e. a homogeneous polynomial) G = '^la^X- € R of 
degree d is generic if all monomials of degree d in R have coefficients in G, 
and these coefficients are algebraically independent over the prime field of K. 

A generic system of forms is a system of generic forms Gj = as 

above (not necessarily of the same degree) such that all are algebraically 
independent over the prime field of K. An ideal I generated by a generic system 
of forms is called generic, and so is the R-algebra R/I. 
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Lemma and Definition 4. The Hilbert series of an ideal generated by a generic 
system Gi, . . . , Gm of forms of degrees d\, . . . , dm depends only on the charac- 
teristic of the field, the number n and the tuple of numbers {di, . . . ,dm)- If the 
characteristic of the field is 0, we speak of the generic Hilbert series of type 
(n+ l;m;di,. . . ,dm)- 

Proof. Let K and L be two fields over the same prime field F, and let 
Gi, . . . , G„ G ^[^ 0 , ■■■,Xn],G[,...,G'm G L[Xo , . . . , X„] be two generic sys- 
tems of forms such that deg(Gj) = deg(G') for all j. Let Gj = 

G' = J2i Let k and I respectively be the subfields of K and L generated 

by the coefficients of Gj and G' over F. Then there exists a (unique) isomor- 
phism between k and I under which ap'* corresponds to We thus have for 
all D G No 

XiC[Xo,...x„]/(Gi,...,G™)(^) = dim/f((iG[Xo, . . .df„]/(Gi, . . . , Gm))o) = 
dimfc((fc[Xo, . . . X„]/(Gi, . . . , Gm))D) = 
dim;((;[Xo,...X„]/(Gi,...,G'J)o) = 

dimL((L[dfo, • • ■Xn\/{G{, , G'„))d) = XL[Xo,...Xr,]/{G{,...,G',^){D) ■ 

□ 

Together with (12), the following proposition is crucial for our analysis of the 
XL-algorithm. 

Proposition 2. Let K be any field ( of any characteristic) , and let Fi, . . . , Fm G 
R = K[Xq, . . . , Xn] be forms of degree d\,...,dm (not necessarily generic). 
Let Hg be the generic Hilbert series of type (n + l;m;di, . . . ,dm)- Let I := 
{Fi, . . . , Fm) <1 K[Xq, . . . , Xn]. Then we have the coefficient- wise inequality 

Hr/I > Hg . 

This proposition seems to be well-known in commutative algebra (see e.g. 
Sect. 4 of [16]); for the lack of a suitable reference we include the proof in 
Appendix B. 

Because of (12) and this proposition the task is now to study generic Hilbert 
series. The following proposition is a well-known statement from commutative 
algebra. 

Proposition 3. Let m < n-l-1, and let G\, . . . , Gm-i, Gm = G be a generic sys- 
tem of forms in R = AT[Ao, . . . , A„], where G has degree d. Let 
J := (Gi, . . . , Gm-i) <1 R- Then for all D G Nq the multiplication map 

G- : {R/J)d {R/J)D+d, F^G-F 

is injective, in particular we have a short exact sequence 

0 ^ {R/J)d ^ {R/J)D+d {R/{J,G))D+d 0 . 

(Here by {J, G) we denote the ideal of R generated by J and G.) 
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Indeed, this proposition is nothing but a reformulation of the well-known 
statement that a generic system of forms in K\Xq, . . . , Ai„] with at most n -I- 1 
elements forms a regular sequence (cf. [16-Sect. 4], Page 318). (The fact that a 
generic system of forms is a regular sequence can be seen as follows: By Lemma 
3 in Appendix B, it suffices to prove that for all (di, . . . , d„+i) G there 

exist some forms Fi, . . . , G R of degrees di, . . . , d„+i which form a regular 
sequence, and by [12-Theorem 16.1], the forms , ■ ■ ■ , do form a regular 

sequence.) 

Note that the Hilbert series of i? = K[Xo, . . . , X„] is 



i 




1 

(1 -T)"+i 



(13) 



(see e.g. [16-Sect. 1]). Proposition 3 and (13) imply by induction on m: 

Proposition 4. Let m < n+1, and let Gi, . . . , Gm be a generic system of forms 
of degrees di, . . . , dm in R. Then the Hilbert series of R/{G\, . . . , Gm) is 

(1 - T)"+i ■ 

For simplicity we now concentrate until the end of this section on the case of 
quadratic equations. 



Proposition 5. Let m = n + c for some c > 1. Let Fi, . . . ,Fm be quadratic 
forms in R = K[Xq, . ■ ■ T^n]- Then the Hilbert series of R/{Fi, Fm) is 
coefficient- wise greater- or- equal 

(l-(c-l)r2)(l-hT)”+^ . 



Proof. By Proposition 2 we only have to prove that the generic Hilbert series of 
type {n-\- 1; to; 2, . . . , 2) is coefficient-wise greater-or-equal (1 — (c — 1)T^)(1 -|- 

rp-^n+l 

So let iC be a field of characteristic 0, let R = iC[A'o, . . . , X„], and let 
Gi , . . . , Gm be a generic system of quadratic forms in R. (The assumption 
on the characteristic is not necessary for the following argument.) Let R' := 
i?/(Gi, . . . , G„+i), and let /' be the ideal generated by G„+ 2 ,...,Gm in R' . 
Note that by the above proposition, the Hilbert series of i?' is (1 -I- T')”+^. We 
have i?/(Gi, . . . , Gm) — R' / 1' , thus 

Xr/(Gi,...,G^){D) = XR'/iG„+2,...,G„^){D) = dimKiRo) ~ dimKilo) ■ 

Now, for D > 2, L'jj = J2jLn-i-2 ' ^'d- 2 ’ where by definition Gj ■ R'jj _2 is 
the image of R!jj_2 under the multiplication map Gj- : R'jj_2 — ^ R^d- follows 
that 

dfmx{I'i)) < (to — n — 1) dimj^(i?)^_ 2 ) . 
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All in all, we have 



Xr/(Gi,...,g„,){D) > XR'{D) - {c-1)xr'{D -2) , 



thus 

> Hr, - (c - 1)T^Hr, = (1 - (c - 1)T2)(1 + T)"+i . 

Proposition 6. Let K he any field, let m = n + c with c > 1, let fi, fm & 
K[Xi, . . . ,Xn] be quadratic polynomials, and as in Sect. 2, let Z?min be the min- 
imal D with x{H) < D, where x{H) is defined as above with respect to these 
polynomials. Then 

n 

Ltmin ^ , 7 ■ 

Vc - 1 + 1 

Sketch of the Proof. Let c > 1, m = n c, f\, . . . , fm and x{H) be as in the 
proposition. By (12) and the above proposition, we have 



X{D) > ( 



(n 



D + 2){n- D + i) 
{D-1)D 



(c-1)) 



n + 1 
D-2 



for all D >2. The proposition follows from the statement that ( ~ 
(c — 1)) • 05 ^ 2 ) ^ ^ ^ ^ show the slightly weaker state- 
ment that ~ (c — 1) >0 for all D < 

Let D < Then -\- D < n, thus H^(c — 1) < (n — D^. This 

implies that {D — \)D{c — \) < {n — D -\- 2)(n — D -I- 3), i.e. 1 ” — 

(c-l)>0. □ 



Remark 5. For an application of the XL-algorithm to a system with m = n 
quadratic equations, one can easily see with Propositions 2 and 4 and (12) that 
one always has x{H) > 2”, and for m = n -\- \ quadratic equations, one has 
Llmin > n -I- 1. Both these results are consistent with conjectures in [7]. 



5 The Maximal Rank Conjecture 

The maximal rank conjecture (MR- conjecture) which we now state can be thought 
to be a (potential) generalization of Proposition 3. 

Conjecture. Let K he a field of characteristic 0, and let Gi , . . . , Gm-i, Gm = G 
be a generic system of forms in ii = K[Xq, . . . , A„], where G has degree d. Let 
J := (Gi, . . . , Gm-i) < R- Then for all I? G Nq the multiplication map 

G- : {R/J)d {R/J)D+d, F^G-F 

has maximal rank, that is it is injective if dim k {{R / J)d) < dimK{{R/ J)D+d) 
and it is surjective if dimK{{R/ J)d) > dimK{{R/ J)D+d)- 
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This conjecture - which is also known under the name “Froberg’s Conjecture” 
- can (in an equivalent formulation) be found in [10]. It is also stated in Sect. 4 
of the informative overview article [16]. (Note however that the formulations at 
the beginning of Sect. 4 of [16] are a bit vague.) Interesting facts about this and 
related conjectures can be found in [15]. 

The conjecture is known to hold if one of the following five conditions is 
satisfied: to < n -I- 1 (see Proposition 3), n = l,n = 2, m = n + 2, D = 
minj{deg(Gj)} -I- 1 (see [10-3.2.] and the citations in [16-Sect. 4]). 

The conjecture is equivalent to the statement that 

Xr/{J,G){D) = max{xR/j{D) - xr/j{D - d) , 0} 

as one can easily see (cf. [16-Sect. 4]). (Here, we set XR/j{i) = 0 for t < 0.) 

Obviously, if Xr/(J,G){.D) = 0, then Xr/{J,G){D') = 0 for all D' > D. Using 
this fact, the conjecture can be reformulated via Hilbert series as: 

HR/{RG) = \i.^-T‘^)HR/i\ , (14) 

where for some power series p{T) with integer coefficients, lp(T)| denotes the 
power series q{T) = where 

qi = Pi if pj > 0 for all j <i 

0 if Pj < 0 for some j < i ■ 



Assumption. From now on, we assume that the maximal rank conjecture is 
valid. 



Let A be a field of characteristic 0, let Gi, . . . , G^ be a generic system of 
forms in R, and let dj := deg{Gj). Let I := (Gi, . . . ,Gm)- Using (13), (14) and 
Lemma 5 in Appendix C, we have 



Hr/I — 



(1 - T )"+1 



(15) 



Definition 5. (see [16]) We call the right-hand side of the above equation the 
expected Hilbert series of a generic algebra of type (n -I- 1; to; di, . . . , dm). 

Proposition 2 implies: 

Proposition 7. Let K be any field ( of any characteristic) , and let Fi, ... , Fm G 
R = K[Xq, . . . , Xn] be forms of degree d\, . . . ,dm (not necessarily generic). Let 
He be the corresponding expected Hilbert series. Let L := {F\, . . . ,Fm). Then we 
have the coefficient- wise inequality 



Hr/I > He . 

Together with (12), this proposition has the following implication for the 
original XL-algorithm. 
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Theorem 1. Let K be any field, let be non-trivial polynomials in 

K[Xi , . . . , Xn] with degrees di, . . . , dm- Let I? G N, and let x(-D) be defined as in 
(9). Then x(-D) is greater- or- equal to the term of the expected Hilbert series 
of a generic algebra of type {n + 1; m; di, . . . , dm)- 

By Proposition 1, this theorem has the following corollary which can be used 
to analyze the reduced XL-algorithm. 

Corollary 1. With the notations of the theorem, let K = Fg, and let 
be defined as is (10)- Then is greater- or- equal to the term of the ex- 

pected Hilbert series of a generic algebra of type (n+1; m+n; di, - - - , dm, q, ■ ■ ■ ,q)- 

Remark 6- Let be the degree of the expected Hilbert series of a generic 

algebra of type (n + 1; m; 2, . . . , 2). One can use the methods presented in [2- 
Sect. 5] to study asymptotic behaviors of D^ m- A corresponding study is carried 
out in [3]. One obtains Dn^n+c ~ f for any fixed c > 2 and n — > oo. (More 
precise results for various small c can also be found in [3].) For a fixed a > 1, a 
reformulation of a result in [3] gives Dn,an ~ (o — y/a'^ — a — • n for n — > oo. 

For example, one has D-n, 2 n ^ C ■ n with C = ^ — a/ 2 « 0.0858 (which is 
consistent with the “Comparison with 2n equations over Q” on page 13 of [2]). 

Acknowledgment 

I thank G. Bdckle, T. Brocker, C. Cid, A. Conca, G. Frey, S. Galbraith, J. Herzog, 
J. Scholten, A. Wiebe and B.-Y. Yang for discussions. I am particularly in debt 
to J. Herzog and A. Wiebe for pointing out the “maximal rank conjecture” to 
me. 

Support by the 1ST Programme “Ecrypt” of the European Union is gratefully 
acknowledged. 

References 

[1] M. Atiyah and I. Macdonald. Introduction to Commutative Algebra- Addison- 
Wesley, Reading, 1969. 

[2] M. Bardet, J.-C. Faugere, and B. Salvy. Complexity of Grobner basis computations 
for Semi-regular Overdetermined sequences over F 2 with solutions in F 2 . INRIA 
Rapport de recherche No. 5049, 2003. 

[3] J.-M. Chen and B.-Y. Yang. All in the XL Familiy: Theory and Practice, 
manuscript from June 2004. 

[4] J.-M. Chen and B.-Y. Yang. Theoretical Analysis of XL over Small Fields. 
In H. Wang, J. Pieprzyk, V. Varadharajan, editors. Information Security and 
Privacy, volume 3108 of LNCS, pages 277-288, Springer- Verlag, Berlin, 2004. 

[5] N. Courtois. Higher Order Correlation Attacks, XL algorithm, and Cryptanalysis 
of Toyocrypt. In P.J. Lee, C.H. Lim, editors. Advances in Cryptology — ICISC 
02, volume 2587 of LNCS, pages 182-199, Springer- Verlag, Berlin, 2002. 

[6] N. Courtois, A. Klimov, J. Pararin, and A. Shamir. Efficient Algorithms for 
Solving Overdefined Systems of Multivariate Polynomial Equations, ’’extended 
version”, available under http://www.minrank.org/xlfuN.pdf (as of August 24, 
2004). 




The XL- Algorithm and a Conjecture from Commutative Algebra 335 



[7] N. Courtois, A. Klimov, J. Pararin, and A. Shamir. Efficient Algorithms for 
Solving Overdefined Systems of Multivariate Polynomial Equations. In B. Preneel, 
editor, Advances in Cryptology — EUROCRYPT 2000, volume 1807 of LNCS, 
pages 392-407. Springer- Verlag, Berlin, 2000. 

[8] N. Courtois and J. Pieprzyk. Cryptanalysis of block ciphers with overdefined 
systems of equations. In Y. Zheng, editor. Advances in Cryptology — ASIACRYPT 
2002, volume 2501 of LNCS, pages 267-287. Springer- Verlag, Berlin, 2002. 

[9] D. Eisenbud. Commutative Algebra with a View Toward Algebraic Ceometry. 
Springer- Verlag, New York, 1995. 

[10] R. Froberg. An inequality for Hilbert series of graded algebras. Math. Scand., 
56:117-144, 1985. 

[11] D. Knuth. The Art of Computer Programming. Addison- Wesley, Reading, 1973. 

[12] H. Matsumura. Commutative Ring Theory. Cambridge University Press, Cam- 
bridge, UK, 1986. 

[13] T. Moh. On the method of ”XL” and its inefficiency to TTM. manuscript from 
January 28, 2000, available under http://eprint.iacr.org/2001/047. 

[14] S. Murphy and M.J.B. Robshaw. Essential algebraic structure within the AES. 
In M. Yung, editor. Advances in Cryptology — CRYPTO 2002, pages 1-16, 2002. 

[15] K. Pardue. Generic Sequences of Polynomials, manuscript from March 30, 2000. 

[16] G. Valla. Problems and Results on Hilbert Polynomials of Graded Algebras. In 
J. Elas and J. Giral, editors. Six Lectures on Commutative Algebra, volume 166 of 
Progress in Mathematics. Birkhauser, Basel, 1996. 



A On the Connection Between the Original and 
the Reduced XL- Algorithm 

The purpose of this section is to prove Proposition 1. 

As in Proposition 1, let K = F,^. Let 

k 

Vd := (H with k + q<D)K< K[Xi ,. . . , X^]<d • 

e=i 



Lemma 1. Let U be any K-vector subspace of K[Xi, . . . ,Xn]<D- Then we have 
a short exact sequence 

0 — >UCVd — >U — > — r 0 . 

Proof. It is obvious that UDVd is contained in the kernel of (. . The converse 
follows from the following lemma. □ 



Lemma 2. Let f € K[Xi, . . . , Xn]. Then there exist polynomials pi, . . . ,pn of 
degree < deg(/) — q with 

f = pi- {xf - xi) + • • .p„ • - x„) + . 
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Proof. By the linearity of (. . it suffices to prove the statement for mono- 
mials, and for monomials it is obvious by the very definition of (. . □ 

Let us use the definitions of Sect. 3. 

We have by Lemma 1 

{K[Xi, . . . , K[Xu . . . , Xrf\<D/VD , 

— Ud/{Ud n Vd) — {Ud + Vd)IVd — Ud/Vd , 

thus 

{K[Xi, . . .,Xn]<Dy’^’^/{UDY^’^ ^ {K[Xu . . .,Xn]<D/VD)/ {U d/Vd) 

~K[X^,...,XY\/Ud . 

This implies: 

= dimx((iL[Xi, . . . , Xr,]<Dy-‘^l{UDr^^) 

= dhnK{K[X^,...,Xy\<DlllD) =X{D) . 



B Hilbert Series of Generic and Arbitrary Algebras 

The purpose of this section is to prove Proposition 2. Let us before we come to 
the proof state two lemmata. 

Lemma 3. Let A he a domain with quotient field Q. Let K he a field and let 
Lp : A — > K he a homomorphism, and let <P : A[Xq, . . . , X„] — > K[Xq, . . . , X„] 
he the eanonical extension of ip. Let L <\ A[Xq, . . . , Xn] he a homogeneous ideal 
(that is, an ideal generated hy homogeneous polynomials). Then we have the 
coefficient- wise inequality 

HK[Xo,...,XrA/{HI)) ^ HQyXo,...,Xr,]/{I) ■ 

Proof. Let Z? G Nq. The map ip : A — > K induces a canonical map 

{A[Xo, ..., X„]/I)d {A[Xo, ..., X„]/I)d Oa K 

~ {A[Xo, ...,X„]/I K)d {K[Xo, ..., X^]/{${L)))d. 

This implies that 

XK[Xo,...,X„]/(4>(I)){D) 

= dimK{{A[Xo, ..., X„]//)rr 0 a K) 

> dimg((^[Xo, . . . ,Xn]/I)D <8>a Q) by Lemma 4 below 
= dimQ((Q[Xo, . . . ,Xn]/{I))D) 

= XQ[Xo,...,X„]/(I){D) . 

Lemma 4. Let A he a domain with quotient field Q, and let M he a finitely 
generated A-module. Let K he a field and let ip : A — > K he a homomorphism. 
Then 



dim/f(M (g>A K) > dimg(M ®a Q) ■ 
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Proof. Let m be the kernel of cp. Then M K ~ K and M Q ~ 

Mm Q- We can thus assume that A is a local ring with maximal ideal 
m = ker(i^). As the dimension of a vector space is stable under base-change, we 
can further assume that ip is surjective. Now if mi, . . . ,mr form modulo m a 
basis of M ®a K over K then by Nakayama’s Lemma ([9-Corollary 4.8]) they 
generate the A-module M, thus they generate M ®a Q over Q. □ 

Proof of Proposition 2. We keep the notations of the proposition. The propo- 
sition follows from Lemma 3 applied to the multivariate polynomial ring A = 
Z[{ap^}], the ideal / = (Gi, . . . , G^), where Gi, . . . , G^ with Gj = J2i 
and deg(Gj) = dj is a generic system of forms, and the specialization homomor- 
phism p : A — > K sending ap^ to the corresponding coefficient of Fj. (Note 
that the quotient field of A is Q({ap^}) which has characteristic 0.) □ 



C A Lemma on Power Series 

The following lemma generalizes [10-Lemma 4]. For the convenience of the 
reader, we include a proof. 

Lemma 5. Let p{T) he a power series with integer coefficients, let d G N. Then 
\{l-T‘^)p{T)\ = \{l-T‘^)\p{T)\\ . 

Proof Note that ((1 - T'^)p(r))* = p* for z < d and ((1 - T‘^)p{T))i = Pi-pi-d 
for i > d. 

Thus the coefficients whose index is < d of both sides agree. Furthermore, if 
Pi < 0 for some i < d, then both sides are equal. 

Let us assume that for alH = 0, . . . , d — 1, we have pi > 0. 

If now for all i we have Pi —pi-d > 0; then we also have Pi > 0 for all i as can 
easily be seen by induction on i. In this case, both sides agree with (1 — T'^)p(T). 

Assume that this is not the case and let a be the least natural number for 
which Pa - Pa-d < 0. 

Then for each z < a, we have pi > 0 again by induction on z. 

There are two cases: Either pa > 0. Then |p(T')|a — |p(T)|a-d = Pa —Pa-d < 0 
by definition of a. Or p„ < 0. Then |p(T)|a - \p{T)\a-d = ~Pa-d < 0. 

We conclude that for z < d — 1, the z-th coefficient of both sides agrees with 
Pi, for d < z < a, the z-th coefficient of both sides agrees with pi — Pi-d, and for 
i > a, the z-th coefficient of both sides is 0. □ 

The work described in this paper has been supported in part by the Euro- 
pean Commission through the 1ST Programme under Contract IST-2002-507932 
ECRYPT. 

The information in this document reffects only the author’s views, is provided 
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particular purpose. The user thereof uses the information at its sole risk and 
liability. 
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Abstract. This paper compares the XL algorithm with known Grobner 
basis algorithms. We show that to solve a system of algebraic equations 
via the XL algorithm is equivalent to calculate the reduced Grobner basis 
of the ideal associated with the system. Moreover we show that the XL 
algorithm is also a Grobner basis algorithm which can be represented as 
a redundant variant of a Grobner basis algorithm F4. Then we compare 
these algorithms on semi-regular sequences, which correspond, in con- 
jecture, to almost all polynomial systems in two cases: over the fields F2 
and Fq with n. We show that the size of the matrix constructed by 
XL is large compared to the ones of the F5 algorithm. Finally, we give 
an experimental study between XL and the Buchberger algorithm on the 
cryptosystem HFE and find that the Buchberger algorithm has a better 
behavior. 

Keywords: Multivariate polynomial equations, Algebraic attacks, Solv- 
ing Systems, Grobner basis, XL algorithm. Semi-regular Sequences. 



1 Introduction 

Algebraic attacks are among the most efficient attacks for public key cryptosys- 
tems, block ciphers and stream ciphers. They try to recover a secret key by 
solving a system of algebraic equations. Algebraic attacks were first applied to 
Matsumoto-Imai Public Key Scheme in [19] by Jacques Patarin and a similar 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 338-353, 2004. 
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attack was also applied in [15]. Algebraic attacks were also applied to block 
ciphers in [6], where the complexity for attacking AES and Serpent was evalu- 
ated. Moreover, algebraic attacks were applied to stream cipher in [7], [8], [9] 
and improved in [1]. 

As a general method to solve a system of algebraic equations, we know 
Grobner basis algorithms. The fastest of such algorithms previously known are 
the Fi and algorithms introduced in [11] and [12], respectively. 

The XL algorithm was proposed as an efficient algorithm for algebraic at- 
tacks. It was first introduced in [20] and applied to an attack for HFE which is 
an improved version of Matsumoto-Imai Public Key Scheme. It was improved 
in [5]. As stated in [20], in cryptographic scheme, a system of algebraic equa- 
tions we are interested in has a unique solution over its defining field. The XL 
algorithm was proposed as a powerful technique to solve such special systems. 
In [20], it was stated that the XL algorithm does not try to calculate a whole 
Grobner basis and therefore it should be more efficient. 

Recently, by using the algorithms F4 and E5, 80-bit HFE were first cryptana- 
lyzed in [14], whereas the XL algorithm was not applicable to 80-bit HFE. Time 
results with an implementation under Magma are presented on A. Steel’s web 
page (http://magma.maths.usyd.edu.au/users/allan/gb/). As we stated above, 
the E4 and F^ algorithms are Grobner basis algorithms. Why did algebraic crypt- 
analysis based on these Grobner basis algorithms exceed XL? We give an answer 
for this question in this article. 

In this paper we clarify a relation between the XL algorithm and Grobner ba- 
sis algorithms. Moreover, we study the XL algorithm on semi-regular sequences, 
which correspond, according to a conjecture in a report [3] , to almost all overde- 
fined polynomial systems, and on the cryptosystem HFE. 

More precisely, we show the following: 

1. The XL algorithm does not introduce explicitly a monomial ordering. But 
we have proved that if the XL algorithm terminates, it will also terminate 
with a lexicographic ordering. 

2. To solve a system of algebraic equations whose solution in a given finite field 
is unique amounts to nothing but to calculate the reduced Grobner basis for 
the ideal associated with that system. 

3. By 2, the XL algorithm is actually a Grobner basis algorithm. Moreover it 
is essentially the same as the one treated in [17] and can be viewed as a 
redundant variant of a Grobner basis algorithm F 4 . 

4. We study the XL algorithm on semi-regular sequences. 

On F2, that the degree D of the parameter needed for the XL algorithm is 
almost the same as the degree of the polynomials in the matrix constructed 
by the F5 algorithm. But the complexity of these two algorithms is specified 
by the size of the matrix: for example, for a quadratic multivariate polynomi- 
als with n = 128 and m = 130, both algorithms reached the same degree 17 
and the matrices generated by the XL algorithm will have about 170 x 10^° 
rows and 6 x 10^° columns compared to squared matrices with only 6 x 10^° 
rows and columns for the E5 algorithm. 
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On the field F^, with q very large compared to n, we show the XL algo- 
rithm terminates for a degree higher than Grobner basis algorithms with a 
DRL order. Then it is obvious that XL matrices are huge compared to 
matrices. 

5. We complete this study on generic systems with a comparison of the XL 
algorithm and the Buchberger algorithm for a cryptosystem HFE. For this 
cryptosystem, a Grobner basis algorithm finds a structure in the multivariate 
systems and never exceeds a low degree, whereas, for the XL algorithm, the 
degree seems to still increase with the number of variables n. 

The XL algorithm was proposed to be a more efficient algorithm to solve a 
system of equations under a special condition without trying to calculate a whole 
Grobner basis. But our results imply that the XL algorithm is not so efficient as 
it was expected to be. 

In Section 2, we recall the description of the XL algorithm. In Section 3, 
we give an overview of the theory of Grobner bases. In Section 4, we clarify a 
relation between the XL algorithm and the F4 algorithm. In Section 5, we study 
the behavior of the XL algorithm on semi-regular sequences. In Section 6, we 
give experimental results on HFE systems and in Section 7, we conclude this 
report. 



2 The Basic Principle of XL 

The XL algorithm is given as an algorithm which solves systems of quadratic 
equations having a solution in fc" for a finite field k = ¥q. Let Al be a system 
of multivariate equations fj = 0 , (1 < j < m) for fj G fc[x] := k[x\, . . . ,Xn]- 
We denote the ideal generated by all fj in A by Ijj- Then, XL is described as 
follows [20]. 

Algorithm 1 (The XL Algorithm). For a positive integer D, execute the 
following steps: 

1. Multiply: Generate all the products 0^=1 * fi ^ with r < D — 2 and 

total degree < D. 

2. Linearize: Gonsider each monomial in the Xi of degree < D as a, new variable 
and perform the Gaussian elimination on the equations obtained in Step 1. 
The ordering on the monomials must be such that all the terms containing 
one variable (say xi) are eliminated last. 

3. Solve: Assume that step 2 yields at least one univariate equation in the 
powers of x\. Solve this equation over the finite fields (e.g., with Berlekamp’s 
algorithm) . 

4. Repeat: Simplify the equations and repeat the process to find the values of 
the other variables. 

In the original definition of the XL algorithm in [20] , only quadratic equations 
are treated. If we change the condition ’’with r < D — 2 and total degree < I?” 
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in Step 1 to ’’with r < D — deg(/j)”, we can apply XL to a system of equations 
including a non-quadratic equation. Note that this change does not contradict 
the original XL setting when a system of equations consists of quadratic equa- 
tions. So hereafter, we use this generalized version in order to work in general 
case. 

Remark 1. We can replace Step 1 of the XL algorithm by considering f* the 
homogenization of fi: f* = . . . , G fc[x, Z] and products mf* with m 

a monomial with degree D—deg{f*). All the computation is exactly the same. So 
the behavior of XL is the same on the homogenization of the system A as on A. 
We will use this remark on section 5, and for more properties of homogenization, 
we refer to [4]. 

3 Grobner Basis and Some Algorithms 

3.1 Basic Notation and Definitions 

Let fc[x] = k[xi, . . . , Xn] be a polynomial ring with variables xi, . . . ,Xn over a 
field k. For a monomial x“ = • • • a;“", |a| := Ym=i called the total degree 

of this monomial. In the following, the set of all monomials in variables x\, . . . ,Xn 
is denoted by M{xi, - ■ ■ ,a;„), or simply by M. In the theory of Grobner bases, 
we need to consider a monomial ordering (cf. [10]). One of such ordering is the 
degree reverse lexicographical order (DRL) defined as follows: 

Definition! (cf. [14]). For a = (ai, ..., o;„),/3= (/?i, ..., /3„) G Z”g, We say 

x“ >DRL x:^ if [a] = X)r=i > l/^l = 1*^1 = l/^l right-most 

nonzero entry of the vector a — j3 gIA is negative. 

There are many monomial orderings. We choose one of such orderings on T 
and write it as <. 

A nonzero polynomial / in fc[x] is written as / = Cax:“, Cq yf 0. We use 
the following notations: 

T{f) = {c(ai, - I C(ai, - ,a„) ^ 0} : the set of terms of / 

M{f) = j ,Q„) ^ 0} : the set of monomials of / 

We denote the total degree, the leading term, the leading coefficient and the 
leading term with respect to <, by deg(/), LM(/), LC(/) and LT(/) respectively. 
(For each definition, see [10].) 

The ideal in A:[x] generated by a subset F is denoted by (F). We also denote 
by (Ii, . . . , In) the minimal ideal containing ideals I\, . . . ,In- 

Under the above notation, a Grobner basis is defined as follows. 

Definition 2. Let M be the set of all monomial of fc[x] with a fixed ordering. 
A finite subset G = {gi, . . . , gm} of an ideal X is called a Grobner basis if 

(LT(gi),...,LT(5^)) = (LT(F)). 

For a given ideal X, its Grobner basis is not unique. But the reduced Grobner 
basis, which is defined as follows, is uniquely determined. 
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Definition 3. A Grobner basis G = {/i, . . . fm} of an ideal I is called reduced 
Grobner basis if for all i, LC(/j) = 1 and any monomial of fi is not divisible by 
any element o/LM(G\{/i}). 



3.2 The Buchberger Algorithm 

An algorithm which calculates a Grobner basis is called a Grobner basis algo- 
rithm. The Buchberger algorithm is one of them. 

Definition 4. Let f,g € fc[x] be nonzero polynomials. The S-polynomial of f 
and g is the combination 



S{f,g) := LC(g) 



lcm(LM(/),LM(g)) 

LM(/) 



/-LC(/) 



lcm(LM(/),LM(g)) 
LM(g) ^ 



For a finite set G of polynomials in k[x] and a polynomial / G fc[x], we denote 
by a remainder of / on division by G. (For the definition of division by a 
finite set of polynomials, see [10] for example.) 

Theorem 1. A basis G = {gi, . . .gm} of an ideal X in fc[x] is a Grobner basis 

Q 

if and only if for all pairs i yf j, S{gi,gj) = 0. 

As a result of Theorem 1, we have the The Buchberger algorithm: 



Algorithm 2 (The Buchberger Algorithm). 

Input: an ordered set F = {fi, . . . , fm) in fc[x] 

Output: a Grobner basis G = {gi, . . . ,gs} for / = (/i, . . . , fm) with F C G 

G:=F 

Repeat 

H :=G 

For each pair (p,q), p ^ q in FI, 

If S := S{p,q)^ yf 0, Then G := G U {S} 

Until H=G 

We remark that the reduced Grobner basis is calculated in a finite number 
of steps from a Grobner basis. 



3.3 Some Other Algorithms 

D. hazard in the articles [17] describes a relationship between the method of the 
computation of Grobner bases and the one based on Gaussian Eliminations on 
matrix for the system A. Moreover there are some other Grobner basis algorithms 
based on Gaussian elimination: F 4 [11], FGLM [13] and F5 [12]. We explain now 
the relationship between polynomials and matrices. 

For a system A of equations fj = 0 (j = 1, 2, . . . , m), let us consider a finite 
list G = (gi, . . . ,gm) of elements of the ideal generated by fj, the ordered set 
Mg = [ti, ■ ■ ■ ,ti] of monomials of all gi with respect to a fixed order <. A matrix 
A whose (i, j)-entry is given as the coefficient of tj in g^ is called the coefficient 
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matrix of G. Note that *G = A *Mg where *G and mean the transpose of 
each. Let A be the row echelon form of A obtained by using elementary row 
operations in a standard linear algebra^. Then we call G given by := A^Mq 
the row echelon basis of G. When we take the reduced row echelon form of G, 
we say G the reduced row echelon basis of G (In [11], this is called the row 
echelon basis). Calculation of the reduced row echelon basis is an essential part 
of F4. 



4 Relation Between XL and Grobner Basis Algorithms 

4.1 The Choice of a Monomial Ordering 

To compare the XL algorithm with Grobner basis algorithms, we need to give 
an explicit monomial ordering for XL. As the XL algorithm does not give an 
explicit monomial ordering, we need to introduce the following lemma : 

Lemma 1. Let A be a system of m multivariate equations with n variables. 

XL terminates for a degree D 4=^ XL terminates for a degree D 

with the Lexicographic ordering 

Proof. Let be M (respect. M') the coefficient matrix of the list {( 0^=1 ^ij)* fi} 
with k < D — deg(/i) for XL (respect, with the Lexicographic ordering). So we 
can write M = ( A|i?) and M' = ( A'jB') such that B (respect. B') corresponds 
to the columns for the univariate monomials. Moreover M' , A! and B' are only 
column permutations of M, A and B. 

If XL terminates for a degree D, it means that rank(M) > rank(A). Then 
rank(M') > rank(A') and then XL will find an univariate polynomial with the 
lexicographic ordering. □ 

4.2 Pre-assumption of the XL Algorithm 

Let fc = Fg be a finite field with q elements and let A be a system of multivariate 
equations /j = 0 (1 < j < to) where fj G k[xi,. . . ,x„]. As stated implicitly in 
the introduction of [20] , XL was proposed to be an efficient algorithm to solve a 
system of multivariate equations satisfying the following condition. 

Condition 1. The system A has only one solution (xi, . . . , x„) = (ai, . . . , a„) 
in A:", (i.e. A has a solution (oi, . . . , a„) in fc" and no other solution in A:".) 

Note that the system A under Condition 1 can have another solution in AT" 
for some extension field k) of k. To determine the solution in fc”, we need 
extra equations xj — Xi = 0 (A = 1, . . . , n). Thus the ideal we have to consider is 
generated hy fj (j = 1, . . . , to) and x^ — Xi (z = 1, . . . , n). We denote this ideal 
by X 4 . Then we have the following important theorem. 



^ This procedure is so-called the Gaussian elimination. 
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Theorem 2. Let Abe a system of multivariate equations /j = 0, j = 1, 2, . . . , m 
in k[x \, . . . , Xn] with k = F^. LetJj^ he the ideal (/i, . . . , fm, x\ — X \, . . . , xf—Xn)- 
Then a solution (xi, . . . , Xn) = (ai,...,a„) G A:" of A is unique in fc" if and 
only ifX_A = (xi - ai, . . . , - a„). 

Proof. If (xi, . . . ,Xn) = (ai, . ■ . , On) is a unique solution in k" of A, Ta C 
{xi — ai, . . . , Xn — On) and (ai, . . . , a„) is a unique solution in A:" of a system 
which consists of fj =0 (j = 1, ■ • ■ , m) and xj — Xi = Q {i = 1, . . . ,n) for an 
algebraic closure k of k because x^ — Xi = Q has solutions only in k. Then from 
Hilbert’s Nullstellensatz (cf. [10]), for each i = 1, . . . ,n, there exists a positive 
integer A* such that {xi — UiY' G Since Xi — ai = gcd{x^ —Xi, (ccj — G X_ 4 , 
we have X_q = {x\ — oi, . . . , — a„). For the converse, it is obvious. □ 

By this theorem. Condition 1 is equivalent to the following condition. 

Condition 2. The reduced Grobner basis with respect to DRL of the ideal 
x^ = (/l, ...,fm,xl-Xi,...,xl~ Xn) is {xi -ai,...,Xn~ «„}. 

Thus the problem to solve A defined over A: = under the Condition 1 
coincides with the problem to calculate the reduced Grobner basis of the ideal 
generated by equations in A and field equations xj — Xi = 0 under the Condition 
2, which is not a new problem. In particular, if the XL algorithm can solve 
a system A of algebraic equations over F^ under the Condition 1, it actually 
computes the reduced Grobner basis of the ideal 1a- 

4.3 Relation Between XL and the F4 Algorithm 

We use the same notation as in (3.1). Here we show the XL algorithm gives 
a Grobner basis algorithm which can be viewed as a redundant variant of the 
F4 algorithm. (For the description of the original F4, see [11].) To give such a 
description, we need the following definition. 

Definition 5. (1) A critical pair of two polynomials (fi,fj) is an element of 
M'^ X fc[x] X M X A:[x], Pair{fi, fj) := {IcmijAi^ fiAji fj) such that 

lcm{Pair{fi, fj)) = Icmij = LM(tifi) = LM(tjfj) = Zcm(LM(/i), LM(/,)). 

(2) For a critical pair pij = Pair{fi, fj), deg{lcmij) is called the degree of pij 
and denoted by deg{pij). Let P he a list of critical pairs. For p = Pair{f,g) G P 
and d G N, we define two functions XLLeft{p,d) = {{t, f)\t G M,deg{t*f) < d}, 
and XLRight{p,d) = {{t,g)\t G M,deg{t * g) < d}. We write XLLeft{P,d) = 
Upgp XLLeft{p, d) and XLRight{P, d) = Upep XLRight{p, d). 

For a list of critical pairs P and a positive integer d G N, we set 
Sel{P, d) := {p G P I deg{lcm{p)) < d}. 

Now we give an P 4 -like description of the XL algorithm. 
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Algorithm 3 (The XL Algorithm). 

J F : a finite subset of fc[x] 
npu . ^ fixed as above. 

Output: a finite subset of fc[x]. 

G := F, F+ ■= F and d := 0 
P := {Pair{f,g)\f,g € G with f ^ g} 

While P 4> Do 
d:= d + 1 

Ld := XLLeft(F, d) U XLRight(F, d) 

Pd := Sel{P, d) 

P:=P\Pd 

F^ := Reduction(Frf) 

For h G F^ Do 

F := F U {Pair{h, g)\g G G} 

G:=GU{h} 

Return G 

Reduction 

Input: a finite subset F of M x fc[x] 

Output: a finite subset of fc[x] (possibly an empty set). 

F := Symbolic Preprocessing(F) 

F := Reduction to Row Echelon Basis of F w.r.t. < 

F+ := {/ G F|LM(/) ^ LM(F)} 

Return F+ 

Symbolic Preprocessing 

Input: a finite subset F of M x fc[x] 

Output: a finite subset of fc[x] 

F:={t*f\{t,f)eL} 

Return F 

Remark 2. In the original description of XL, it seems that the bound D is taken 
globally at once. However, to implement XL, there seems to be the following 
four ways to realize the process determining the optimal value of D. Let A be a 
system of equations you want to solve. Then each way is described as follows. 

1. Begin with D = 1. Do XL described as in Definition 1 for A. If you cannot 
obtain the solution, set D ■= D + 1 and do XL again for A with the new D. 

2. Begin with D = \. Iterate ’Multiply’ and ’Linearize’ described as in Def- 
inition 1 for A by adding new equations obtained by ’Linearize’ to A. If 
you cannot solve the resulting system, then return to the original A, set 
D ■= D + 1 and iterate the same procedure as for F = 1. Repeat until you 
obtain the solution. 

3. Begin with D = 1. Do XL described as in Definition 1 for A. If you cannot 
obtain the solution, then set D := D + 1, replace A by the resulting system 
obtained by ’Linearize’ in the previous XL and do XL again for the new A 
and D. Repeat until you obtain the solution. 
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4. Begin with D = 1. Iterate ’Multiply’ and ’Linearize’ described as in Defini- 
tion 1 for A by adding new equations obtained by ’Linearize’ to A. If you 
cannot solve the resulting system A', then replace Al by M', set D := D + 1 
and iterate the same procedure as for D = 1. Repeat until you obtain the 
solution. 

The first two processes are slightly different from the others. The degree 
reached for the third and the fourth ones can be lower than the degree of the 
others. The Gaussian elimination of polynomials with degree D can give poly- 
nomials with lower or equal to D — 1. For example, let us consider the sys- 
tem X 2 + X 3 = 0, X 1 X 2 — X 2 = 0, X 3 -I- = 0. For D = 3, the polynomial 

X 3 X 1 — X 3 = (a;i — l)(x 2 + X 3 ) — X 2 (xiX 2 — X 2 ) appear in resulting system ob- 
tained by ’Linearize’, and then for D = 4, the third and fourth methods find the 
univariate polynomial xf — xi = (xi — l)(a;| -I- Xi) — x^(x3Xi — X3). Whereas, 
the two first methods need a degree D = 5 to find this polynomial because 
xl~Xi = {xi - l)(x| -I- Xi) - {x^Xi - xl){xl + X3) + x\x2{xiX2 ~ X2). 

In the above description of XL, we take the third one. You may take one of 
the other three realizations but the rest of our result holds for all of them. We 
should remark that XL taking Z? as in the first one is essentially the same as 
the Grdbner basis algorithm treated in [17]. 

In the above description of the XL algorithm, we keep some redundancy in the 
description to show the similarity to the F 4 algorithm. Note that in algebraic 
attacks using XL, the input F should be a set of polynomials which comes 
from all equations in a given system of equations A whose solution in fc" is 
unique and all field equations xj — Xi = 0 for all variables Xi. ’Multiply’ in 
XL corresponds to the calculation of Ld and ’’Symbolic Preprocessing”. And 
’linearize’ corresponds to ’’Reduction”. Note that, XL in the above description 
can be viewed as a redundant variant of F 4 . This is because XLLeft and XLRight 
collect more polynomials and therefore the set of polynomials constructed in 
’’Symbolic Preprocessing” is much larger than the one in F 4 . In fact, XL collects 
all the products 0^=1 * /* r < D — deg(/i), whereas F 4 collects only 

polynomials needed in the Gaussian elimination. 

The above description enables us to prove the following theorem. 

Theorem 3. Let F be a finite set of polynomials in /c[xj. Then Algorithm 3 
computes a Grdbner basis G for the ideal (F) in fc[x] such that F C G. 

Proof. Let d be a positive integer and Gd the set G obtained for that d in the 
while-loop. If F^ yf <j), then deg /i < d for any h G F^ and hence h G Ld+i in the 
next loop. Then it is obvious that h ^ Since any g G Gd-i of degg < d is 
contained in Ld, h ^ Gd-i for any h G F'^ and hence we have Gd-i C Gd when 
Fd 7^ '/’■ 

First, we show that Algorithm 3 terminates in a finite number of steps. Sup- 
pose that Algorithm 3 does not terminate. Then there is an infinite sequence 
{di) of positive integers such that di < d^+i and F^_ yf for all i. From the 
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above observation, we have an infinite ascending chain Gdi C Gdi^^ £ ' ' ' • But 
it contradicts to the fact that the ring fc[x] is noetherian. 

Now we show the output G of Algorithm 3 is actually a Grobner basis of (F) . 
Since G = Ud>o ^ have F C G C (F). The remaining task 

is to show S{f,g)^ = 0 for all f g in G. Put d := deg{Pair{f, g)) . Then the 

Q _ 

S'-polynomial S{f,g) is contained in Lj and hence S{f,g) = 0. In particular, 

Q 

we obtain S{f, g) = 0. Thus, by Theorem 1, the output G is actually a Grobner 
basis of (F). □ 



5 Semi-regular Sequences 

In this section, we try to give a bound on the matrix size of the XL algorithm 
compared to the matrix size of the F^ algorithm for most polynomial systems. 

5.1 Presentation of Semi-regular Sequences 

In the report [3], the notion of semi-regular sequences was presented for overde- 
fined systems over the finite field F 2 and for affine systems. We have to distin- 
guish two important cases for finite fields, F 2 and Fg. In the field F 2 , we have 
a criterion deduced from the Frobenius application. If we are interested in a 
system A on a field Fg, with q ^ n, i.e. q is very high compared to n, then the 
trivial relation issued from the Frobenius application will not be reached during 
computation and all the computation done is similar to computation on Q. 

Definition 6. 

Homogeneous Semi-regular Sequence: Let /i , . . . , &e a sequence of m 
homogeneous polynomials (i.e. for all monomial t of fi, deg(t) = deg(fi) in 
TVf := V 2 [xi, . . . ,Xn]/ {x\, . . . ,xi) or Q[xi, . . . , and X = (/i,...,/„) an 
ideal of VJf or ..., a;„] . 

— The degree of regularity of X is the minimal degree d such that {LT{f) \ f 
G X,deg(f) = d} is exactly the set of monomials of degree d in Tiff, denoted 
by Dreg{X). 

~ is a homogeneous semi regular sequence on F 2 if X 7 ^ TZ^ and 

fori G m}, if gif ^ = 0 in . . . , /*_i) and deg(gifi) < DregfX) 

then gi = d in n'f/{fi,...,f,-i,fi). 

— /i, ... ,/m is a homogeneous semi regular sequence on Q if X ^ Q[xi, . . . , 

Xn] and for i G m}, if gift = 0 in Q[xi, . . . ,Xn]/ {fi, ■ . ■ , fi-i) and 

deg(ffi/i) < Dreg{X) then g, = d in Q[a;i, . . . ,x„]/(/i, . . . 

Affine Semi-regular Sequence: Let fi, . . . , f^ he a sequence of m polynomi- 
als, and X = (/i, . . . , /m) an ideal of F 2 [a;i, . . . , x„]/ {x^ — xi, . . . , — x„) or 

Q[a;i, . . . , Xn]. Let //^ the homogeneous part of the largest degree of fi. 
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— fi, . . . , fm is a semi regular sequence if fi, ■■■, fm ® homogeneous semi- 
regular sequence. 

— the degree of regularity of I is the degree of regularity of (/{*, . . . , f^), de- 
noted by Dreg- 

With this sequence of polynomials, the matrix generated by the algorithm 
has a full rank for the degree d < Dreg- Moreover, all polynomials computed by 
F 5 have a degree lower or equal to -Dreg- 

This means that, for semi-regular sequences, the number of rows Hm,n{d) 
of the matrix in the homogeneous case, for d < Dreg, is known, and is given 
by a recurrence formula Flm,n{d) = Hm-i,n{d) + ff{nii monomial of degree d — 
dm} — Hm,n{d — dm) with initial conditions Hm,n{d) = 0 ifm< 0 ord< 
mtn(deg(/fc) | k < m}. Then the number of rows of a matrix for the afSne case 
is J2d'=l Hm,n{d'). 

The degree Dreg corresponds to the degree d when we will have more rows 
than columns for the homogeneous part of the largest degree. It is the minimal 
degree such that Hm,n{d) > ff{nii monomial of degree d}. If we consider the 
series f{y) = ^d>Q{Hm,n{d) — ff{me monomial of degree d})y‘^, the degree Dreg 
is given when the coefficient of this series is negative, the expression of / for 
quadratic equations is: 

for F 2 g > n. 

Moreover, in the article [3], the authors have made a conjecture verified on 
many computer experiments: 

Conjecture 1. almost all polynomial systems are semi-regular sequences. 

As the XL algorithm computes for an homogeneous system, we work on 
semi-regular sequences such that the homogenization of the sequences is still 
semi-regular. With these hypotheses, the conjecture is still true. 

If we want to find an univariate polynomial for the original description of 
XL, we need to have a number of rows higher than the number of monomials 
with degree D minus the number of univariate monomials in X\ (i.e., X\ and 1 
for F 2 and 1 , . . . , Xf, for F^). 

This means that the degree D of the XL algorithm is given when the co- 
efficient of this series is negative, the expression of / for quadratic equations 
is : 



(i-y)(i+y^) 



^ for F 2 

1 — V ^ 



(i-vT 

(l_y)n + l 



(ily)2 for ^q, with (7 > n. 



5.2 On the Field F 2 

Figure 1(a) presents a comparison of the degree reached between the XL algo- 
rithm and Grobner basis computation for a variation of the number of variables 
n and Figure 1(b) for a variation of the number of equations m. 
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(a) 



XL algorithm 

■ ■ F5 algorithm 



32 42 52 62 72 82 92 102 1 12 122 132 142 152 162 172 182 192 202 212 222 232 242 252 



Nb of equations 

(b) 



Fig. 1. Behavior of the XL algorithm and the F5 algorithm on F2 



With these figures, we do not have a noticeable difference between the degree 
reached by the two algorithms. So we can say that for random systems, the 
methods of XL and Grobner basis are almost the same. 

For the complexity point of view, if Njj is the size of the matrix constructed, 
then the whole complexity is the cost of linear algebra on this matrix, which is 
N]^ where m < 3 is the coefficient of linear algebra. The XL algorithm creates 
matrices with (fe) rows and J2k=o (fc) columns, whereas 

creates square matrices with (fe) columns. 

So the number of columns for F 5 algorithm matrices is lower or equal to the 
one for XL algorithm matrices whereas the number of rows of the matrices con- 
structed is very different. Figure 2 presents the number of rows of each matrices 
with a logarithm scale. As we can see, the difference between the two curves 
gives us a multiplicative constant. 

5.3 On the Field Fg, with q Large 

Figure 3(a) presents a comparison of the degree reached between the XL algo- 
rithm and Grobner basis computation for a variation of the number of variables 
n with m = n -|- 2 and Figure 3(b) for a variation of the number of equations 
m. First we can see that for random polynomials we have always computed a 




Fig. 2. Matrices of the XL algorithm and F5 algorithm on F2 
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Fig. 3. Behavior of the XL algorithm and the F 5 algorithm on 



Grobner basis before finding the univariate polynomial for a degree D. More- 
over, we can see the behavior of the degree of the XL algorithm does not seem 
to follow the formula as it was said in [61. 

As the complexity is N'^, where Nd is the size of the matrix constructed and 
w the coefficient of linear algebra and the XL algorithm has a higher degree D 
than the algorithm, the difference of the size of constructed matrices is very 
important. For example, for quadratic multivariate polynomials with n = 128 
and m = 130, the XL algorithm reached a degree 66 whereas the F5 algorithm 
reached a degree 61. So the matrices generated by the XL algorithm will have 
about 94317 x 10"'^® rows and 6332 x 10^® columns compared to squared matrices 
with only 8.4 x 10^® rows and columns for the F5 algorithm. 

For the case m = n, the number of solutions with multiplicity of a random 
system with quadratic equations is n:iideg(/o = 2", which is the Bezout 
bound. So the univariate polynomial has this degree and XL will terminate for 
this degree. Whereas, the computation of the Grobner basis will not exceed 
1 -I- X)r=i (deg(/i) — 1) = n -I- 1 for any ordering. This computation is done with a 
DRL ordering and then we use the FGLM algorithm [13, 10] to find the wanted 
ordering. 

All this study is still true if D < q and not only for g ^ n. 



6 Example on HFE Systems 

In cryptography, the systems studied seem to be random but have a structure 
behind them. So we need to make experimental tests on cryptosystems to have 
an idea of the efficiency of both algorithms. 

Hidden Field Equations (HFE) is an asymmetric cryptosystem. It does not 
use the number theory but it is based on multivariate polynomials over a finite 
field (cf [18]). The idea of HFE is to take a secret univariate polynomial (the 
private key) on an extension of the finite field, then to express this polynomial 
on the finite field. We thus obtain an algebraic system (the public key). This 
system is composed with polynomials of degree 2. 
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(a) on F2 (b) on Fie 



Fig. 4. Comparison between XL and Grobner algorithms on HFE 



We have implemented the XL algorithm in Magma to test on the examples. 
Moreover as the XL algorithm has a better behavior for m > n, we have fixed 
some variables to be in the case m = n + 2. We studied on both cases presented 
in section 5, for the field F 2 , we use secret polynomials with degree 17 and with 
degree 24 for the field Fig. 

With Figure 4(a), we see that the XL algorithm’s maximal degree increases 
whereas for Grobner basis computation, the degree of resolution does not change 
and does not exceed 3. In fact, the XL algorithm seems to follow Figure 1(a). So 
XL does not seem to find a difference between a random system and the HFE 
cryptosystem contrary to Grobner basis computation. 

Figure 4(b) confirms that the Buchberger algorithm is still better than the 
XL algorithm on a bigger field for a number of elements higher than 6. 





(a) on F2 (b) on Fig 



Fig. 5. Time comparison between XL and Grobner algorithms on HFE 



We present then time computation on figure 5. For the XL algorithm, the 
main part of computation is done in the Gaussian elimination and not in the 
other part of the algorithm. As we can see, the Buchberger algorithm has a 
better behavior than the XL algorithm. 
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7 Conclusion 

In this paper, we compared the XL algorithm with Grdbner basis algorithms. 
First, we showed that to solve a system of algebraic equations treated in XL is 
equivalent to calculate the reduced Grobner basis of the ideal associated with 
the system. Moreover we showed that the XL algorithm is also a Grobner basis 
algorithm which can be represented as a redundant variant of a Grobner basis 
algorithm F 4 . Then we compared these algorithms on semi-regular sequences in 
two cases: in the fields F 2 and with n. We showed that the size of the 
matrix constructed by XL is huge compared to the ones of F 5 algorithm. We 
gave an experimental study between XL and Buchberger algorithms on the cryp- 
tosystem HFE and found that the Buchberger algorithm had a better behavior. 
Our results imply that the XL algorithm is not so efficient as it was expected. 
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Abstract. We introduce a new computational problem related to the 
interpolation of group homomorphisms which generalizes many famous 
cryptographic problems including discrete logarithm, Difiie-Hellman, and 
RSA. As an application, we propose a generic undeniable signature 
scheme which generalizes the MOVA schemes. Our scheme is generic in 
the sense that we transform a private group homomorphism from public 
groups G to H (the order of H being public) into an undeniable signature 
scheme. It is provably secure in the random oracle model provided that 
the interpolation problem is hard and it offers the advantage of mak- 
ing the signature size arbitrarily short (depending on a security level). 
We (im)prove some security results from MOVA. We also propose a new 
example with complexity similar to RSA and with 3-byte signatures. 



1 Introduction 

An undeniable signature scheme is similar to a classical digital signature except 
that the recipient of a message cannot verify its validity alone: he needs to 
interact with the signer in order to be convinced of the validity of the signature. 
This opposes to the so called universal verifiability of classical digital signatures 
where anybody knowing the signer’s public key is able to verify the signature at 
any time. In some applications such as signing a contract, it is desirable to keep 
the signer’s privacy by limiting the ability to verify this signature. However, an 
undeniable signature does not abandon the non-repudiation property. Indeed, 
in case of a dispute, the signer could be compelled by an authority to prove 
the invalidity of a signature, otherwise this would be considered as an attempt 
of denying a valid signature. An undeniable signature scheme is composed of a 
signature generation algorithm, a confirmation protocol to prove the validity of 
a signature, and a denial protocol to prove the invalidity of an invalid signature. 

Since the invention of the first undeniable signature scheme proposed by 
Chaum and van Antwerpen [9] , a certain amount of work has been dedicated to 
its development and different improvements [5, 7, 8, 11, 12]. Until the proposition 
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of an undeniable signature scheme based on RSA by Gennaro et al. [15], all 
previous undeniable signatures were based on the discrete logarithm problem. 
More recently, three undeniable signatures based on different problems have been 
proposed. The first one is based on pairings [18], the second one is based on a 
quadratic field [4], and the third one (MOVA) is based on characters [19]. 

In traditional digital signature schemes, the security collapses when the sig- 
nature is too short because of universal verifiability: an attacker can try to guess 
a signature until it is valid in order to forge it. One advantage of undeniable 
signatures is that the security smoothly decreases with the signature length. As 
an example, we can think of 20-bit signatures which cannot be forged but with 
a probability of success of The forger can increase it in an on-line attack, 
but this can easily be detected and thwarted. So, undeniable signatures could in 
principle be arbitrarily small e.g. as small as a MAC, although no such signatures 
were proposed so far except MOVA signatures. 

In this paper, we provide a new computational problem called Group Homo- 
morphism Interpolation (GHI) problem whose solution consists in finding the 
image of a given point under an homomorphism which interpolates some given 
points. This generalizes and improves the MOVA scheme based on characters. 
Section 2 provides some theoretical results about the GHI problem. Section 3 
contains several interactive proof protocols and some related security results that 
will be used for our undeniable signature from Section 4. Section 5 is devoted to 
a new example and further discussions. Finally, Section 6 concludes. 



2 The Group Homomorphism Interpolation Problem 

2.1 Problem Definitions 

Given two Abelian groups G, H, and S := {( 2 : 1 , j/i), . . . , (xs,ys)} Q G x H, we 
say that the set of points S interpolates in a group homomorphism if there exists 
a group homomorphism / : G — > H such that f{xi) = for i = 1, . . . , s. We 
say that a set of points B C G x H interpolates in a group homomorphism with 
another set of points A C Gx H ii AUB interpolates in a group homomorphism. 
We state here the Group Homomorphism Interpolation problem (GHI problem) 
and its decisional problem (GHID problem). 

S'-GHI Problem (Group Homomorphism Interpolation Problem) 
Parameters: two Abelian groups G and H, a set of s points S C Gx H. 

Input: X G G. 

Problem: find y G H such that {x,y) interpolates with S' in a group 
homomorphism . 

S-GHID Problem (GHI Decisional Problem) 

Parameters: two Abelian groups G and H, a set of s points S C Gx H. 
Input: a point (x,y) G G x H. 

Problem: does (x,y) interpolate with S in a group homomorphism? 
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We also consider the following problems. 

d-MGGD Problem (Modular Group Generation Decisional Problem) 
Parameters: an Abelian group G, an integer d. 

Input: a set of values = {x\, . . . , a;^} C G. 

Problem: does 5*1 modulo dG span GjdG. 

{d, 5'i)-MSR Problem (Modular System Representation Problem) 
Parameters: an Abelian group G, a set = {xi,...,a;s} C G, an 
integer d. 

Input: X G G. 

Problem: find oi, . . . , S Z such that x G aiXi H + UgXs + dG. 

d-Root Problem (dth Root Problem) 

Parameters: an Abelian group G, an integer d. 

Input: X G G. 

Problem: find r G G such that x = dr. 

2.2 Preliminaries 

Here is a first straightforward condition to solve the GHID problem. 

Lemma 1. Let G, H he two finite Abelian groups. We denote by d the order 
of H . The set S = {(xi, j/i), . . . , (xg, ?/s)} Q G x H interpolates in a group 

homomorphism if and only if for any oi, . . . , Og G Z such that aiXi~\ hagXg G 

dG we have Oij/i + • • • + OgT/g = 0. 

Let us now consider uniqueness criteria. We first notice that when the x- 
coordinates of points in S modulo dG generate G/dG (hence satisfy the MGGD 
problem), then there is at most one interpolating homomorphism. The following 
result says that this is a necessary condition as well. 

Lemma 2. Let G, H he two finite Abelian groups. We denote d the order of H. 
Let xi,...,Xg G G which span G' . The following properties are equivalent. Ln 
this case, we say that xi, . . . ,Xg H-generate G. 

1. For all yi, . . . ,ys G H, there exists at most one group homomorphism f : 
G — > H such that f{xi) = yi for all i = 1, . . . , s. 

2. There exists a unique group homomorphism (p : G — > H such that p{xi) = 0 
for i = 1, . . . , s, namely p = Q. 

3. The set Hom(G/G',iJ) of all group homomorphisms from G/G' to H is 
restricted to {0}. 

4. gcd(#(G/G'),d) = l. 

5. G' + dG = G. 

Note that the criterion 4 suggests that H is only involved by the prime factors 
of its order. In what follows the smallest prime factor p will be important. Note 
that if G = H, these criteria mean that x\, . . . ,Xg generate G. 

We can often meet the GHI and GHID problems in cryptography as the 
following examples suggest. 
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Example 1. We take a cyclic group G of order q, H = Zg, and a generator g of 
G. The set S = {( 5 , 1)} interpolates in a unique group homomorphism, and the 
GHI problem is exactly the discrete logarithm problem. 

Example 2. We take a cyclic group G = E[, and a generator g of G. For any 
a G Z, S = {{g,ag)} interpolates in a unique group homomorphism: the ex- 
ponentiation to the power a. The GHI and GHID problems are exactly the 
Diffie-Hellman problem [13] and the Diffie-Hellman Decisional problem. 

Example 3. Let n = pq such that p, q are different odd primes and E[ = {—1, +1}. 
We let X\,X 2 G Z* be such that x\ is a quadratic residue modulo p and not mod- 
ulo q, and that X 2 is a quadratic residue modulo q, and not modulo p. We notice 
that S = {(xi, 1), (x 2 , —1)} interpolates in a unique group homomorphism which 
is {'Ip). Since it is easy to compute {-In), the quadratic residuosity problem 
[16] with the information x\ and X 2 is equivalent to the GHI and GHID 
problems. 

Example 4-. Here, we consider the well known RSA cryptosystem [21]. Let n = pq 
be an RSA modulus and G = E[ = Z* . Let / : Z* ^ Z* be defined by /(x) = 
x^ mod n for an exponent e such that gcd(e, <p(n)) = 1 [21]. Given enough many 
pairs (x® mod n, Xj) G Z* x Z* , i = 1, . . . , s, for the first coordinates to generate 
Z* , the RSA decryption problem is solved by a GHI oracle. This application of 
GHI problem to the decryption problem can be adapted to every homomorphic 
encryption scheme, e.g. Paillier [20]. 

Example 5. Given d G {2,3,4} and given an integer n such that d divides 7 >(n), 
we let G = Z* and H = Zd- The GHI problem is the MOVA®* problem [19]. 

Example 6. We show here how we can apply the GHI problem to the Bilinear 
Diffie-Hellman Problem (BDHP). Let e : Gi x Gi — > G 2 be a bilinear, non- 
degenerate and computable mapping, where Gi and G 2 are cyclic groups of 
order a large prime p. Let P be a generator of Gi, we can state the BDHP as 
follows: given three random elements aP, bP and cP G Gi, compute e(P, 

(Gi resp. G 2 is written additively resp. multiplicatively. ) BDHP is equivalent 
to GHI problem with S = |(P, e{aP, bP))} and xi = cP. 

Note that Examples 2, 3, 4, 5, 6 , include trapdoors in order to interpolate the 
group homomorphism. Except Examples 2,6, they further include trapdoors in 
order to solve the MSR problem. Also note that the order d of P is publicly 
known in Examples 1,2, 3, 5, 6 . It can further be quite small in Examples 3,5. In 
what follows we focus on publicly known d and on trapdoor homomorphisms. 
We will also consider the following example inspired by [1]. 

Example 1. Let n = pq such that p = rd + 1 and q are prime, gcd(r, d) = 1, 
gcd (<7 — l,d) = 1, with d small prime. We take G = Z* and H = Zd- We can 
easily compute a group homomorphism by first raising to the power r(q — 1 ) 
then computing a discrete logarithm in a small subgroup. 
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We finally provide a useful lemma to sample group elements. 

Lemma 3. Let G, H, d he defined as in Lemma 2. Let Xi,. . . ,Xg G G which 
H -generate G. The following mapping from G x to G is balanced. 

g : {r,ai, . . . ,Qs) < — > dr + aiXi + . . . + OsXg 



2.3 Problem Reductions 

We assume that S interpolates in a group homomorphism. We notice that the 
S'-GHI problem can be solved with a single oracle call to a {d, 5'i)-MSR oracle 
where denotes the set of all x coordinates for points in S. 

Similarly, the S'-GHID problem can be probabilistically solved with a {d, Si)- 
MSR oracle by using Lemma 1 and Lemma 3: we generate a random x' = 
ax dr a\Xi + • • • + agXs, we send it to the MSR oracle who will answer 
a\,. . . and we check whether ay + (ai — a\)yi + • • • + (a,, — a'f)ys = 0. 

Note that once we have witnesses to find the group invariants of G and H, 
it becomes easy to solve all problems. So GHI and GHID are in NPHco-NP. 

2.4 Problem Approximations 

In this section we present our most important results. They are inspired from 
the theory of checkable proofs [2, 3] and linear cryptanalysis. 

Lemma 4. Given two finite Abelian groups G and H, and a set of s points 
S = {{xi,yi) I i= l,...,s}, we assume that xi, ... ,Xs H-generate G. We let 
d be the order of H and p be its smallest prime factor. We assume that there 
exists a function f : G — > H such that 

p:= Pr [/(dr + aiXiH h = oii/i H has 2 /s]>-. 

(r,ai,...,as)G[/GxZJ p 

The set of points (xi, yi) interpolates in a group homomorphism. Furthermore, 
given a random x €u G, the value y = f{x) matches the unique interpolation 
with probability p. 

This improves Theorem 13 from [19] where we have 1/2 instead of 1/p. 

Proof. Let A C be the set of all (oi, . . . , a^) such that aiXi H \-agXs € dG. 

We notice that the representation of any G element as a combination of Xi, . . . , Xs 
is uniquely defined modulo K. Following Lemma 1, we only have to prove that 
we have oipi + • • • + asPs = 0 for any (ai, . . . , as) G A. This way, the value 
g(x) = ttij/i + • • • + Osj/s is uniquely defined by a; = dr + aiXi + • • • + UgXg and 
g is a group homomorphism which corresponds to / with probability p. 

Let us consider a random (r, ai, . . . , Og) G[/ G x Z^. p is the probability 
that f{dr + a\Xi + • • • + OgXg) equals a\yi + • • • + Ogj/g. This probability is 
also the average over all possible cosets of Z^/A of the same probability when 
(ai,...,ag) is sampled in the coset only. Hence we deduce the existence of a 
coset (oi, . . . , Og) + A such that for (r, bi, . . . ,bg) Gu G x K we have 

Pr[/(dr + (ai + bi)xi H h (og + 6g)ccg) = (ai + bi)yi H h (og + &g)j/g] > p. 
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Note that aia;i + • • - + asXs is now a constant x and that dr + bix\ H VbgXg 

can be written dr' where r' is uniformly sampled in G and independent from 
bi,. . . ,bg. Hence, there exists r' such that 

Pr [f{dr' + a;) = (oi + bi)yi H h (o^ + bs)us] > P- 

(bu---,b,)&uK 

So we have 

Pr \biyi + ■ ■ ■ + 6s 2/s = constant] > 

{bi,...,bs)£u K p 

Since {bi, . . . ,bg) biyi + • • • + b^yg is a group homomorphism from K to a, 
subgroup of H it must be a balanced function. Its kernel is either a subgroup of 
size at least p or the trivial subgroup {0}. Hence, the probability must actually 
be 1 and we have biyi + • • • + bgpg = 0 for all {bi, . . . ,bg) G K . □ 

The next result says that / can be used in order to solve the GHI problem. 

Lemma 5. Given two finite Abelian groups G and H, and a set of s points 
S = {{xi,yi) I i = l,...,s}, we assume that xi,...,Xg H-generate G. We 
assume that we are given the order d of H whose smallest prime factor is p and 
that we can sample elements in G with a uniform distribution. We assume that 
we have an oracle function f : G — > H such that 

Pr [f{dr + aixi H h OgXg) = aiyi H h Ugyg] = - + 9 

{r,ai,...,ag)euGxZ^ p 

with 6* > 0. Let e > 0 be arbitrarily small. There exists a group homomorphism 
which interpolates S and which is computable within 40“^log(p/e) oracle calls 
with an error probability less or equal to e. 

Note that this substantially improves Theorem 8 from [19] where we basically 
have 11/12 instead of 1/p. It was further conjectured in [19] that we could replace 
it by 1/2. We made here a more precise result. 

Proof (Sketch). Due to Lemma 4, the homomorphism g exists and we have 
Pr^Guoifix) = g{x)] = p~^ + 9. We use the same techniques which are used 
in linear cryptanalysis and consider the following algorithm. 

Input: X G G 
1: repeat 

2: pick r G G,a\, . . . ,Qg G Zd at random 

3: y = f{x + dr + aixi -\ h asa;^) - Oii/i Ugyg 

4: c = 0 

5: for i = 1 to n do 

6: pick r G G, ai, . . . , a*, a G Zd at random 

7: if /(dr + oixi H \- OgXg + ax) = aiyi -\ \-agyg + ay (T) 

then 

8: c = c + 1 
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9: end if 

10; end for 
11; until c > TTi 
Output: y 

We choose n = + 9) \og{p/e) and t = p~^ + ^9 and we estimate the 

error probability of the acceptance test. We consider two types of error: 



<Tn\y = g{x)] £2 = Pr [c > rn \ y g{x)] 

We will now estimate these two values and show that they are negligible. If 
y ^ yi^): then the test (T) works with probability t 2 < 1/p due to Lemma 4. 
We also notice that if y = g{x), the probability that the test works is ^ 
Hence, using the central limit theorem we obtain 



£1 







T — p ^ — 9 
\/(p-i + 6»)(1 -p-i 




£2 « ^ -^/n 



T -t 2 



- h) / 



when n is large enough and where <l> denotes the distribution function of the 
standard normal distribution. By looking at the logarithmic derivative of the 
function f{t) = (r — f)/(i/t(l — t)) and noticing that this one is negative on the 
interval [0, r] we deduce that 



£2 < ^ -^/n 



T — p 



-1 






Using r = p ^ + ^9 provides 
£2 < <? f-\/n 



2\/p“Hl -P“^) / 



g4(p l(l-p 1)) 



where the last approximation holds when n is large enough (£ small). Now, we 
substitute the expression of n in the above inequality and we obtain 



£2 < 





Since ^ p ^ ^ when £ is small, we finally get £2 < £/(p-\/^) < pe/ 2 

where p = p~^ + 0. In a similar way, we can show that £1 < e/2. It remains 
to compute the complexity and the error probability of the algorithm. At first, 
we observe that the probability a that c < rn in the algorithm is equal to 
p£i + (l — p)(l — £ 2 ). From the estimate of £ 1 , £ 2 , we see that a « 1 — p. Moreover, 
the number of iterations is equal to — a) = 1/(1 — a) « 1/p. Hence, 

the complexity is n/p = 4(log(l/£) + log(p))/(p — The probability of error 
is given by W“^(l - p)e 2 « (1 - p)/p £2 < £il P < el‘2- □ 
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3 Interactive Proof Protocol 

3.1 Proof for the GHID Problem 

Let G, H, and S = {(ffi, ei (^ 5 , e,,)} be parameters of a GHI problem, and 
let d be the order of H . We assume that we have a prover who wants to convince 
a verifier that he knows an interpolating group homomorphism / : G — > H for 
S. Let £ be an integer. He performs the following interaction with a verifier. 

GHIproof^(S') 

Parameters: G, H, d 

Input: e, S = {{gi,ei),...,{gs,es)} CG x H 

1. The verifier picks Vi G G and atj G at random for i = !,...,£ 

and j = 1, . . . , s. He computes Ui = dvi + + • • • + and 

Wi = Ojpei + • • • + ai^gS-s for i = He sends Wi, . . . to the 

prover. 

2. The prover computes Vi = f{ui) for i = 1,. . . ,£. He sends a com- 
mitment to . . . , to the verifier. 

3. The verifier sends all r^’s and Oi^’s to the prover. 

4. The prover checks that the tt/s computations are correct. He then 
opens his commitment. 

5. The verifier checks that Vi = Wi for i = 1, . . . , £. 

From a practical point of view, the verifier can generate the rds and Oi^’s 
in a pseudorandom way from a seed and simply disclose the seed in the third 
step of the protocol. Further note that if is large enough, then the verifier can 
send h{wi, . . . ,Ws) © seed (where ft. is a hash function) in his first message so 
that the complete protocol can run in 2 moves instead of 4. In the second move, 
the prover simply sends seed. 

Note that we need a commitment scheme here, e.g. the trapdoor commitment 
scheme proposed by Bresson et al. [ 6 ]. Note that using trapdoor commitment 
with the verifier’s public key strengthens our protocols by providing the non- 
transferability property [17]. 

Theorem 1 . Assuming that g\, . . . ,gs H -generate an Abelian group G, let d he 
an integer and ei, . . . , e^, G H, where H is an Abelian group of order d. Let p 
be the smallest prime factor of d. We consider the GHIprooft(S) protocol with 
5 = {( 5 i,ei),...,(g„e,)}CGxift. 

i. Completeness: assuming that the prover and the verifier are honest, the pro- 
tocol always succeeds. 

a. Zero-knowledge: assuming that the commitment scheme is perfectly hiding, 
the above protocol is perfectly black-box zero-knowledge against any verifier. 
Hi. Proof of membership: assuming that the protocol succeeds with probability 
greater than p~^ with a honest verifier, then S interpolates in a group ho- 
momorphism. 
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iv. Proof of knowledge: for any 9 > 0, assuming that the protocol succeeds with 
probability greater than {p~^ + 9Y with a honest verifier and that the com- 
mitment scheme is extractable, for any e > 0 there exists an extractor with 
a time complexity factor 0(log(l/e)) which can compute an interpolating 
group homomorphism from the prover with probability at least 1 — e. 

Proof (Sketch). Property i is quite clear. Property ii is proven by constructing 
a simulator for the transcript of the protocol without the secret of the prover. 
Property iii directly follows from Lemma 4. For Property iv, we use Lemma 4 
and Lemma 5. □ 

3.2 Proof for the co-GHID Problem 

Let G, P[, and S = {(ffi, Ci), . . . , ( 5 ^, Cs)} C G x H he parameters of a GHI 
problem, and let d be the order of PI. Let T = {{x\, zi), . . . , {xt, Zt)} C G x H 
be a set of t inputs of the GHID problem. We assume that we have a prover 
who wants to convince a verifier that for at least one k the answer to the GHID 
problem with (xk, Zk) is negative. Let £ be an integer. He performs the following 
interaction with a verifier. 

coGHIproof^(S', T) 

Parameters: G, H, d 

Input: e, S = {{gi,ei),...,{gs,es)}, T= {{xi, zi), . . . , {xt, Zt)} 

1. The verifier picks Vi^k G G, Oij^k G Z^, and Xi € Z* for i = 

!,...,£,) = 1, . . . ,s, k = 1, . . . ,t, where p is the smallest prime 
dividing d. He computes Ui^k ■= dri^k + + ^i^k and 

Wi,k ■= Set u := and w := 

(wi^i, . . . , He sends u and w to the prover. 

2. The prover computes Vi^k '■= f{ui^k) for i = !,...,£, k = l,...,t. 
Since Wi^k — Vi^k = Xfizk — yk), he should be able to find every 
Xi if the verifier is honest since Wi^k Y ‘^i,k for all i and at least 
one k. Otherwise, he sets Xi to a random value. He then sends a 
commitment to A = (Ai, . . . , A^) to the verifier. 

3. The verifier sends all Vi^s and Oi,j,fc’s to the prover. 

4. The prover checks that u and w were correctly computed. He then 
opens the commitment to A. 

5. The verifier checks that the prover could find the right A. 

This protocol is inspired from denial protocol of Gennaro et al. [15]. We can 
also transform it into a 2 -move protocol. 

We notice that Xi was chosen such that it can be uniquely retrieved for every 
nonzero values of that can be taken by the elements Zk — ykS. Namely, this 
is done by the following result. 

Lemma 6. Let H be an Abelian group of order d, and a,b € H such that & yf 0. 
Let X be in {1, ... ,p — 1}, where p is the smallest prime dividing d. Then, if the 
equation a = Xb has a solution in X, then this one is unique. 
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3.3 Proof for the MGGD Problem 

Inspired by [19], we propose here a proof that Si = {gi, . . . , -ff-generate G. 
However, the signer needs expert knowledge about G since he has to be able to 
solve the (d, 5'i)-MSR and d-Root problems. Let f be an integer. He performs 
the following protocol. 

MGGDproof^(S'i) 

Parameters: G, H, d 

Input: e, Si = {gi,...,gs} C G 
1: for i = 1 to ^ do 

2: The prover picks a di G G at random and sends a commitment to 

to the verifier. 

3: The verifier picks a ^2 G G at random and sends 62 to the prover. 

4: The prover solves (d, S'i)-MSR on + 62 and d-Root and finds 

r G G, Oi, . . . , Og G such that + ^2 = dr + ^j9j- He 

sends r, oi, . . . , Og to the verifier and opens the commitment to ^i. 

5: The verifier checks that + ^2 = dr + ^j9j really holds. 

6: end for 

We can prove as in Lemma 4 that if a honest verifier is convinced with 
probability greater than p~^, then 5*1 solves the d-MGGD problem. 

Note that this can be transformed into a non-interactive proof following 
standard techniques [14]. An efficient way consists of generating pseudorandom 
61 ,. . . , 6 i from the same seed then solving the (d, 5'i)-MSR and d-Root problems 
on those elements. 

4 Undeniable Signature 

4.1 Description 

We now describe our undeniable signature scheme. 

Domain Parameters. We let integers Lkey, Lsig, Icon, Iden be security pa- 
rameters as well as “group types” for Xgroup and Ygroup. (The group types 
should define what groups and which sizes to use in order to achieve security.) 

An optional parameter Ival is used in Setup Variants 3 and 4 below. 

Primitives. We use two deterministic random generators Geni and Geu 2 which 
produce elements of Xgroup and a commitment scheme. 

Setup Variant 1. (signer without expert group knowledge) 

The signer selects Abelian groups Xgroup and Ygroup of given types together 
with a group homomorphism Horn : Xgroup — > Ygroup. He computes the 
order d of Ygroup. He then picks a random string seedK and computes the Lkey 
first values (Xkey^, . . . ,XkeyL]^gy) from Geni (seedK) and Ykey^ := Hom(Xkeyj), 
j = l,...,Lkey. 
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The main problem of Setup is that the choice for (Xkeyj^, . . . , XkeyLj.gy) must 
Ygroup-generate Xgroup in order to ensure non-repudiation of signatures. In 
Variant 1, Lkey must be large enough so that it is impossible to maliciously 
select a key which does not guaranty this condition. 

Setup Variant 2. (signer with a Registration Authority (RA)) 

We use here a RA whose role consists of making sure that a key was randomly 
selected. (Note that, the RA does not check if the key is valid.) 

1. The signer selects Abelian groups Xgroup and Ygroup of given type together 
with a group homomorphism Horn : Xgroup — > Ygroup. He computes the 
order d of Ygroup. He submits his identity Id together with Xgroup, Ygroup 
and d to RA. 

2. RA first checks the identity of the signer and that he did not submit too 
many registration attempts. He then picks a random string seedK that is 
sent to the signer together with a signature C for 

(Id, Xgroup, Ygroup, d, seedK). 

3. The signer computes the Lkey first values (Xkey^, . . . , Xkey^^gy) from 
Geni(seedK) and Ykey^- := Hom(Xkey^), j = 1, . . . ,Lkey. 

Here the RA basically selects the random key so Lkey can be reduced. 

Setup Variant 3. (signer with an expert group knowledge) 

In this variant we assume that the signer can solve the MSR and Root problems 
in Xgroup. It works exactly like in the Setup Variant 1, but the signer can further 
run a MGGDproofj^g^i in order to validate the public key so that Lkey can be 
further reduced to the smallest possible one. 

Setup Variant 4. (signer with an expert group knowledge, non-interactive) 
This variant is the same as Variant 3 except that MGGDproof is transformed 
into a non-interactive proof. 

Public Key. Kp = (Xgroup, Ygroup, d, seedK, (Ykey^, . . . ,YkeyL]^gy)) with an 
optional (Id, C) for Variant 2, an optional Ival for Variants 3,4, and an optional 
non-interactive proof for Variant 4. We say that Kp is valid if {Xkeyj^,..., 
XkeyLj.gy} Ygroup-generate Xgroup. 

Secret Key. Ks = Horn. 

Signature Generation. The message M is used to generate Xsig^, . . . , XsigLgig 
from Gen 2 (M). The signer computes Ysig^. = Hom(Xsig^,) for A: = 1, . . . ,Lsig. 
The signature is (Ysig^, . . . , YsigL^ig). It consists of Lsig. log 2 d bits. 

Confirmation Protocol. Gompute Xkeyj^, . . . ,XkeyL]^gy from the public key, 
Xsigj, . . . ,XsigLsig from the message, run GHIproofjgQ^ on the set 

S = {(Xkey^,Ykey^)|j = 1,.. .,Lkey} U {(Xsig^,, Ysigj.) |fc = 1,. .. ,Lsig}. 
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Denial Protocol. Compute Xkeyj^, . . . , XkeyLj.gy from the public key as well as 
Xsig;^, . . . jXsigLgjg from the message, run coGHIproofjjg„ on the sets 

S = {(Xkey^,Ykeyj)|j = 1,.. .,Lkey}, T = {(Xsig^, Zsigfe)|A: = 1,.. .,Lsig} 

where (Zsig^, . . . , ZsigL^jg) is the alleged non-signature. 

The undeniable signature scheme of Gennaro et al. [15] which is based on RSA 
corresponds to a special case of our scheme, namely with Xgroup = Ygroup = 
Z* , Lkey = Lsig = 1 and the classical RSA signing function as homomorphism 
Horn. Another example with Lkey = Lsig = 1 is the undeniable signature of 
Chaum [7]. He considered Xgroup = Ygroup = Z* for a prime p and the ho- 
momorphism consisting in raising an element to the power of the private key. 
In both examples the signature is quite large. The MOVA scheme [19] is an- 
other example with Xgroup = Z* , Horn is a character of order d G {2, 3, 4}, and 
Ygroup is the subgroup of C* spanned by e~ . 

4.2 Security Analysis 

Theorem 2 (Setup Variants 1,2). We consider the above undeniable signa- 
ture. Given a prime q, we let Aq be the subgroup of Xgroup of all terms whose 
orders are powers of q. Given q there is a unique kq and Ogp < . • . < Qg./c, se- 
quence such that Aq is isomorphic to Zg<»,,i 0 ... 0 Z^<^q,kg . The probability Pgen 
that {Xkeyj^, . . . ,XkeyLjjgy} Ygroup-generate Xgroup satisfies 

Pgen > n ’ 

qePd \ ^ / 

where is the set of all prime factors of gcd{ffXgrowp, d) . 

As an application, if d is prime and if Xgroup is a product of k cyclic groups, 
we have Pgen > 1 — 

Theorem 3. We consider the above undeniable signature scheme. Assuming 
that the public key is valid, we have the following security results. 

i. If the signer and the verifier are honest, the two protocols complete: a valid 
signature will always be accepted by the confirmation protocol, and an invalid 
signature will always be rejected by the denial protocol. 

ii. Let S = {(Xkeyj^, Ykeyj^ ),..., (XkeyLj(.gy,YkeyLjjgy)}. The scheme resists 
against existential forgery attacks provided that Geu 2 is a random oracle 
and the S-GHI problem is intractable. 

Hi. The confirmation (resp. denial) protocol is sound: if the signer is able to pass 
the protocol with probability q > (resp. q > then the alleged 

signature is valid (resp. invalid). 

iv. The confirmation protocol is private when the commitment scheme is ex- 
tractable: for any 9,e > 0, from a prover which is able to convince a honest 
verifier that a given signature is valid with probability q > {p~^ 0 we 

can extract within a complexity factor of f2{0~^log{p/£)) a group homomor- 
phism which solves the GHI problem with success probability 1 — s. 
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V. The signatures are invisible: for any 9,e > 0, from a distinguisher of a valid 
signature from a random one with advantage 0 > 0, we can extract within 
a complexity factor of [2{9~^log{l/s)) a GHID problem solver with success 
probability 1 — e. 

vi. The confirmation (resp. denial) protocol is perfectly black-box zero-knowledge 
when the commitment scheme is perfectly hiding: we can build a simulator 
for the protocol without the secret key for any verifier. 

In short, if we take Xgroup = Z* where n is a product of two prime numbers, 
and Lsig = Icon = Iden = Soniine/log 2 P, we cannot contradict the confirmation 
or denial protocols but with a probability at most and signatures are 

invisible provided that generators are random oracles and that the interpolation 
problem is hard. For Variant 2, we can take Lkey = Soniine/ log 2 P and this 
generates invalid keys with probability less than For Variant 1, we can 

take Lkey = Soffline/log 2 P so that the signer cannot create invalid keys within 
a complexity less than For Variants 3,4, Lkey can be as low as possible. 

We can take Ival = Soniine/log 2 P for Variant 3 (so that invalid keys are accepted 
with probability less than 2“®°“‘‘“), and Ival = Soffline/log 2 P for Variant 4 so 
that the signer cannot create invalid keys within a complexity less than 2^°"““'’. 
We suggest Soffline = 80 and Sonline = 20. 

5 Example and Further Discussions 

5.1 Setting Proposal 

We consider Example 7 with a small prime d e.g. d = 2^° + 7. We take Xgroup = 
Z*, Ygroup = Z(j, Lkey = Lsig = Icon = Iden = I and we consider Variant 3 
and 4 of the Setup protocol. If Xkey G Xgroup is not a dth power residue 
then it Ygroup-generates Xgroup. For any Ykey G Z^ there is a unique group 
homomorphism Horn such that Hom(Xkey) = Ykey. With this example we can 
sign with a single element of and a public key (n, d, seedK, Ykey). 

Note that the group homomorphism computation requires raising to the 
power r in Z* and computing the discrete logarithm in a cyclic group of about 
2^° elements. This can be precomputed in a table of 2.5 MB as detailed below. 

We first precompute a (large) table of all (Xsigj,z) with Xsigj = Xkey*'’ 
(mod p) for t = 0, 1, . . . , d — 1. Note that i can be encoded into 20 bits. Next we 
insert all (Xsigj,t) pairs in a hash table of 2^° entries keyed by Xsigp put i at 
position /i(Xsigj) unless there is a collision. Resolving collisions can be done by 
standard techniques, for instance see [10] Chapter 12, but note that resolving 
collisions is not necessary: if Xsigj is not in the table, we can look for the smallest 
j such that Xsigj_|_j is in the table. 

Time/memory tradeoffs can also be considered. Remark also that such a 
tradeoff should not require more than the complexity of the Pollard’s rho algo- 
rithm for the computation of the discrete logarithm in our example, i.e. approx- 
imately 3000 multiplications. 
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Depending on the application, the signature size of 20 bits may be considered 
as too small. Of course, we can easily enlarge it e.g. to 48 bits. Our point is that 
signature size versus security is fully scalable here. 

The signature generation requires 1 homomorphism i.e. about one exponen- 
tiation in Z*. (Note that this is twice as fast as a 1024-bit RSA signature com- 
putation with Chinese remainders.) The complexity of the confirmation protocol 
is about 35 multiplications in Z* for the verifier (which can be compared to 17 
multiplications in Z* for RSA if we take e = 2^® -|- 1) and 1 homomorphism for 
the prover. The denial protocol requires almost the same complexity. 

Complexities of this setting with all setup variants as well as those of the 
MOVA scheme with d = 2 and a 20-bit signature length are detailed in Ta- 
ble 1. The main advantage of using the above setting instead of MOVA is 
that the former strongly decreases the number of multiplications in Z* for the 
confirmation. 



Table 1. Implementation Examples 



Setup 


d 


Lsig, Icon, Iden 


Lkey 


Ival 


Signature cost 


Confirmation cost 


1 


2 


20 


80 




20 Leg. symb. 


20 Leg. symb., 730 mult. 


2 


2 


20 


20 




20 Leg. symb. 


20 Leg. symb., 280 mult. 


3 


2 


20 


2 


20 


20 Leg. symb. 


20 Leg. symb., 145 mult. 


4 


2 


20 


2 


80 


20 Leg. symb. 


20 Leg. symb., 145 mult. 


1 


W^~+7 


1 


4 




1 Horn 


1 Horn, 65 mult. 


2 


220 -^7 


1 


1 




1 Horn 


1 Horn, 35 mult. 


3 


220 -^7 


1 


1 


1 


1 Horn 


1 Horn, 35 mult. 


4 


220 -^7 


1 


1 


4 


1 Horn 


1 Horn, 35 mult. 



5.2 On the MOVA Scheme 

We point out here that our scheme generalizes the MOVA scheme [19] and im- 
proves the efficiency of the denial protocol of MOVA. An additional contribution 
to MOVA is also the improvement of some bounds related to the probability of a 
function approximating Horn from which we can compute Horn in a polynomial 
time. Our new bound with 1/p allows to formally prove the coniectured security 
level of MOVA. 

5.3 Batch Verification and Selective Convertibility 

We point out that our scheme allows a batch verification of signatures. Indeed, 
the confirmation protocol can be easily adapted in order to confirm several sig- 
natures at the same time by putting all (Xsig;., Ysig^.) in a single set S. 

Note that the signer with expert group knowledge can selectively convert an 
undeniable signature into a classical one by solving the MSR and Root prob- 
lems on all Xsigj,. The conversion consists of revealing the solution to those 
problems. 
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6 Conclusion 

We have exposed an undeniable signature based on a generic group homomor- 
phism interpolation and we have also analyzed the security in the random oracle 
model. The principal advantage is the size of the signature that can be chosen 
arbitrarily short depending on the required security level. Confirmation and de- 
nial can be run in a 2-move protocol. We can perform batch verification and 
have selective convertibility. From this general setting we have also proposed a 
practical example with 3-byte signatures and a complexity cost which is similar 
to RSA. We hope that this example will be completed by some various additional 
settings since group homomorphisms are common objects in cryptography. 

As future work, we also aim at extending our techniques to other crypto- 
graphic algorithms such as the designated confirmer signatures [8]. 

Acknowledgments. We wish to thank Anna Lysyanskaya and Wenbo Mao for 
helpful discussions and comments. 
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A Technical Proofs 

Proof of Lemma 1 44 2 44 3. Straightforward. 

3 =4 4 . Assume that there exists a common prime factor p of ff{G/G') and d. 
Then, from the structure of Abelian groups G/G' and H we know that each of 
these two groups possesses one cyclic subgroup U and V respectively of order 
p. So, we define a non trivial homomorphism that is the composition of the 
isomorphism between the two cyclic subgroups and with the reduction modulo 
U. This contradicts 3. 

4 =4 5 . If X S G, then d must be invertible modulo the order k of x mod G' by 
4. Let TO such that m-d = 1 (mod k). We have m- d- x = x (mod G'). Hence, 
X — d{m ■ x) G G' and therefore x G G' -b dG. 

5 =4 2. If G Hom(G,iL) is such that (pjc = 0 and x G G, we can write 

X = oixi -!-••• + OsXs + dr. Thus, (p{x) = dp{r) = 0. This holds for all x G G, 
i.e., p = Q. □ 

Proof of Lemma 3. Let n be the order of G. Let h : G X ^ G be a function 
defined by h{r, a\, . . . , Og) = dr -\- aiXi -b . . . -b a^Xg. Obviously, h is an homo- 
morphism. It is onto G due to the property 5 of Lemma 2. Hence, it is balanced 
onto G. Let p : G ^ G X be a function defined by p{r, oi, . . . , Og) ^ 

(r -b < 7 iXi H — • -b qsXg, ai mod d, . . . ,Os mod d), where Oi — {ui mod d) = dqi. We 
have g o p = h. Obviously, p is balanced onto G x since p~"^{r, a\, . . . , Og) = 
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{{r-qixi-. . .-qsXs,ai+dqi, . . . ,as + dqs)\{qi, . . . ,qs) G Z^}. If ^(a;) = m, 
we have mn® = (g“^(x)) = ^h~^{x) = (dn)^. Hence, m = d‘^ does not 

depend on x, so g is balanced. □ 

Proof of Theorem 2 (Sketch). The decomposition of Xgroup comes from classical 
results on the structure of Abelian groups. We observe that we can handle each 
Aq independently because we can see that two elements generating two different 
AqS generate the direct sum of these two groups, since the two respective group 
orders are coprime. We consider Bq := Aq/dAq and study the probability that 
elements generate this group. If gcd{d,q) = I, then Bq is trivial. So, we focus 
only on the q's that divide d and denote Cq the largest integer such that q^“\d. 
We can also deduce that the structure of Bq satisfies 

Bq ~ Zq“ 9 ,l 0 ... 0 Zq^q.r 0 Zq“q 0 . . . Zq^q , 

where r is the largest integer such that Oq^r < e^. The probability that s elements 
does not generate Bq can be approximated by the probability that these elements 
stay in one of the largest non trivial subgroups of Bq, i.e. those of order )fBq/q. 
The number of such subgroups is equal to kq. Thus, this probability is greater 
or equal than 1 — Since these events are independent for the different Bq^s, 
the final probability is obtained by the multiplication of these probabilities. □ 

Proof of Theorem 3 (Sketch), i. The assertion i is straightforward. 
a. First, we show that an attacker A having access to a signing oracle can be 
simulated by an attacker without this access. Indeed, when A calls the signing 
oracle on a message M, the signing oracle will first produce a sequence of Lsig 
values Xsig^, . . . , XsigL^ig G Xgroup and then computes Ysigj := Hom(Xsigj) for 
i = 1, . . . ,Lsig. From the point of view of A, this is completely equivalent to 
dispose of a random source generating pairs of the form (x,Hom(x)) since Gen 2 
is modelized as a random oracle. Assuming that S\ Ygroup-generate Xgroup, we 
see that this source can be simulated by picking some random r G Xgroup, afs G 

Zd, computing x := drTaiXkeyj^H hOLkeyXkeyLjjgy and Hom(x) = oiYkeyj^T 

• • • + OLkey Ykeynjgy using Lemma 3. We denote now x, the challenged element of 
the GHI problem. We use our attacker A in order to compute the Hom(Xsigj)’s 
as follows. We simulate Geu 2 by computing u := dr + x + djXkeyj for 

some random r G Xgroup, Oj G Zd. This is indistinguishable from some uni- 
formly picked element in Xgroup. By standard proofs we show that forged sig- 
natures are necessarily one of the Gen 2 queries, so we can deduce Hom(x) from 
Hom(u). 

Hi. For the confirmation, this directly comes from Theorem 1 property iii. For 
the denial, a cheating prover willing deny a valid signature has to find the value 
of Xi at each round of the protocol. Since Hom(Mj_fc) = Wi^k, the prover does not 
learn additional information with ^ and has to find Xi from rtj ^ uniquely. He 
cannot find the Xi since another distribution of the values Ui^k with another Xi 
is indistinguishable from the first one. Assuming that the commitment scheme 
is perfectly binding the cheating prover cannot do better than answering a ran- 
dom Xi. 
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iv. This directly comes from Theorem 1 property iv. 

V. This works like in Lemma 5. We count how many times {x' ,y') is accepted 
after having picked x' = x + dr + OiXkeyj^ + • • • + OLkeyXkeynjgy and y' = 

y + aiYkey^ H + aLkeyYkeyLj^gy. We use n = 0“^ log(l/e) iterations. 

vi. For the confirmation, this comes from property ii in Theorem 1. For the de- 
nial, this is done as in [15]. □ 
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Abstract. We propose a group signature scheme with constant-size 
public key and signature length that does not require trapdoor. So sys- 
tem parameters can be shared by multiple groups belonging to different 
organizations. The scheme is provably secure in the formal model re- 
cently proposed by Bellare, Shi and Zhang (BSZ04), using random ora- 
cle model. Decisional Bilinear Diffie-Hellman and Strong Diflie-Hellman 
assumptions. We give a more efficient variant scheme and prove its secu- 
rity in a formal model which is a modification of BSZ04 model and has a 
weaker anonymity requirement. Both schemes are very efficient and the 
sizes of signatures are approximately one half and one third, respectively, 
of the sizes of the well-known ACJTOO scheme. We also use the schemes 
to construct a traceable signature scheme. 



1 Introduction 

Group signature schemes, introduced by Chaum and Van Heyst [14], allow a 
group member to sign a message on behalf of the group without revealing his 
identity and without allowing the message to be linkable to other signed messages 
that are verifiable with the same public key. Participants in a group signature 
scheme are a set of group members and a group manager. The role of the group 
manager is to register new users by issuing membership certificates that con- 
tain registration details, and in case of dispute about a signed message, revoking 
anonymity of the signed message by ‘opening’ the signature. In some schemes 
the functions of the group manager can be split between two managers: an issuer 
and an opener. This is a desirable property that allows distribution of trust. It is 
required that no collusion of the issuer and the opener can frame a group mem- 
ber. Group signatures are among the most important cryptographic primitives 
for providing privacy and have been used for applications such as anonymous 
credentials [2], identity escrow [21], voting and bidding [1], and electronic cash 
[23]. Kiayias et al. [18] also introduced the traceable signature primitive, which 
is basically the group signature system with added properties allowing a variety 
of levels for protecting user privacy. 

In early group signature schemes [9, 14, 15] the size of the public key and 
the signature grew with the size of the group and so the schemes were imprac- 
tical for large groups. Schemes with fixed size group public key and signature 
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length have been first proposed in [13] and later extended in [12, 1, 2]. In Crypto 
2000, Ateniese et al. (ACJTOO) [1] proposed an efficient group signature scheme 
with very short length and low computation cost. This scheme is also the only 
scheme that has been proved to satisfy the informal list of security requirements 
of group signature schemes. Ateniese and de Medeiros (AdM03) proposed an 
efficient group signature scheme [2] that is ‘without trapdoor’ in the sense that 
none of parties in the system including the group manager need to know the 
trapdoor. That is the system trapdoor is only used during the initialisation and 
to generate system parameters. The advantage of this property is that the same 
trapdoor information can be used to initiate different groups. The importance 
and usefulness of this property in real-world applications, for example when the 
group signature scheme is used as a building block of an anonymous credential 
system among a number of organizations that need to communicate and trans- 
fer information about users while protecting their privacy, have been outlined in 
[2] . A drawback of AdM03 scheme is that it has a single group manager who is 
responsible for registration of users and opening of signatures, and it is not pos- 
sible to separate the two functionalities. In AdM03 scheme, the group manager 
stores the certificate (r, s) of each member. The signature of a group member 
contains elements x &nd Ei satisfying the equation Ei = x’’, and so, to revoke 
a signature, the group manager (or any party with the knowledge of the certifi- 
cates) can try all certificates to find the one satisfying the equation. This is an 
computationally expensive process. The security proof (corrected version) is for 
the informal list of security requirements, and is given in the generic model [3]. 

Security of a group signature scheme has been traditionally proved by show- 
ing that it satisfies a list of informally defined requirements. Bellare et al. [4] gave 
a formal security model (BSZ04) for (partially) dynamic groups with four secu- 
rity requirements (Correctness, Anonymity, Traceability and Non-frameability) . 
The model uses various oracles including an Open oracle that takes a signed 
message and reveals the identity of the signer. The ACJTOO scheme although 
satisfies the conventional list of requirements but cannot be proved secure in the 
formal model mainly because of the inclusion of the Open oracle in the model. 
Kiayias et al. [19] proposed an extension (KY04 scheme) of ACJTOO scheme that 
is proved secure in their formal model. A new direction in constructing group 
signature schemes is to use bilinear pairings to shorten the lengths of the signa- 
ture and key. Boneh et al. [7] proposed a short group signature scheme (BBS04) 
based on the Strong Diffie-Hellman assumption and a new assumption called 
the Decisional Linear assumption. The scheme is provably secure in a formal 
model where the Opening oracle is not available and the Non-frameability prop- 
erty is not required, in comparison with the BSZ04 model. They also showed 
how to construct an extension, which provides Non-frameability (exculpability) . 
Based on the LRSW assumption [22], Camenisch and Lysyanskaya [11] pro- 
posed a group signature scheme (CL04) derived from a signature scheme which 
allows an efficient zero-knowledge proof of the knowledge of a signature on a 
committed message, and used it to construct an efficient anonymous credential 
system. 
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Our Contribution 

In this paper, we first propose a new efficient group signature scheme with a num- 
ber of attractive properties and prove its security in the BSZ04 model under the 
Decisional Bilinear Difhe-Hellman and Strong Diffie-Hellman assumptions, using 
random oracle model. We then give an efficient variant of this scheme and prove 
its security in the reduced version of BSZ04 model. The only difference between 
the original BSZ04 model and the reduced version is in modelling anonymity 
property, as in the reduced version, the adversary does not have access to the 
Open oracle. This is a plausible model for all cases that the opener is a highly 
trusted entity and cannot be accessed by the adversary. We also extend the 
variant scheme to a provably secure traceable signature scheme. 

All proposed schemes have fixed lengths for group public key and signature, 
and so can be used for large size groups. Using elliptic curve cryptography in 
our schemes results in shorter lengths for signatures and keys. For example, for 
a comparable level of security as the ACJTOO scheme with 1024 bit composite 
modulus, our group signature schemes require elliptic curve groups of order 170 
bit prime, resulting in the sizes of signatures in our two schemes to be one third 
and one half, respectively, of the size in ACJTOO scheme. For higher security 
levels this ratio will be smaller. 

Our schemes can be converted into identity escrow systems or extended to 
support efficient membership revocation, as shown in [26]. The schemes are 
trapdoor-free. The only other trap-door free scheme is the AdM03 scheme, which 
uses a trapdoor in the initialisation of the system and assumes that the initial- 
ising party “safely forgets” the trapdoor. An advantage of our schemes over 
AdM03 scheme is that they allow separation of issuer and the opener, hence 
distribution of trust. Finally in our schemes, the interactive protocol underly- 
ing the signature scheme achieves honest verifier perfect zero-knowledge without 
any computational assumption whereas in the ACJTOO and KY04 schemes, the 
corresponding protocols achieve honest verifier statistical zero-knowledge under 
the Strong RSA assumption. 

The paper is organized as follows. Section 2 gives related background and 
section 3 describes our group signature scheme and its security proofs. Section 
4 gives a modification of BSZ04 formal model and a variant group signature 
scheme, and proves that the variant scheme and ACJTOO scheme are secure 
in the modified model. Section 5 describes our traceable signature scheme and 
section 6 provides efficiency comparison with ACJTOO scheme. 



2 Preliminaries 

2.1 Bilinear Pairings 

Let Gi,G 2 be cyclic additive groups generated by P\ and P 2 , respectively, both 
with order p, a prime, and Gm be a cyclic multiplicative group with the same 
order. Suppose there is an isomorphism ^ : G 2 ^ Gi such that tpiP^) = Pi- Let 
e : Gi X G2 ^ Gm be a bilinear pairing with the following properties: 




Efficient and Provably Secure Trapdoor-Free Group Signature Schemes 375 



1. Bilinearity: e(aP, bQ) = e{P, for all P G Gi, Q € G 2 , a, 6 G Zp 

2. Non-degeneracy: e(Pi,P 2 ) 1 

3. Computability: There is an efficient algorithm to compute e(P, Q) for all 
P G Gi , Q G G 2 

For simplicity, hereafter, we set Gi = G 2 and Pi = P 2 but our group signature 
schemes can be easily modified for the case when Gi yf G 2 . For a group G of 
prime order, hereafter, we denote the set G* = G\{0} where O is the identity 
element of the group. 

We define a Bilinear Pairing Instance Generator as a Probabilistic Polynomial 
Time (PPT) algorithm Q that takes as input a security parameter and returns 
a uniformly random tuple t = (p, Gi, Gm, e, P) of bilinear pairing parameters, 
including a prime number p of size I, a cyclic additive group Gi of order p, a 
multiplicative group Gm of order p, a bilinear map e : Gi x Gi ^ Gm and a 
generator P of Gi. 

2.2 Complexity Assumptions 

For a function / : N ^ if for every positive number a, there exists a positive 
integer Iq such that for every integer I > Iq, it holds that /(/) < then / 
is said to be negligible. If there exists a positive number oq such that for every 
positive integer I, it holds that f{l) < then / is said to be polynomial-bound. 

The g-SDH assumption originates from a weaker assumption introduced by 
Mitsunari et. al. [24] to construct traitor tracing schemes [28] and later used by 
Zhang et al. [30] and Boneh et al. [5] to construct short signatures. It intuitively 
means that there is no PPT algorithm that can compute a pair (c, y^P), where 
c G Zp, from a tuple (P, xP , . . . , x'^P), where x G_r Z*. 

(/-Strong DifRe-Hellman ((/-SDH) Assumption. For every PPT algorithm 
A, the following function Adv^ is negligible. 

AdvT^^'~'{l) = Pr[(A(t, P,xP,..., x'^P) = (c, P)) A (c G Z„)] 

x-\-c 

where t = (p, Gi, Gm, e, P) ^ and x ^ Z*. 

Intuitively, the DBDH assumption [6] states that there is no PPT algo- 
rithm that can distinguish between a tuple {aP, bP, cP, e{P, P)°''^‘^) and a tuple 
{aP,bP,cP, P), where P G_r (i.e., chosen uniformly random from G^) and 
a, 6, c G_r Z* . It is defined as follows. 

Decisional Bilinear DifRe-Hellman (DBDH) Assumption. For every PPT 
algorithm A, the following function Adv^^^^ (1) is negligible. 

Adv^^^'~'{l) = \Pr[A{t, aP, bP, cP, e(P, P)“^") = 1]- 
Pr[A{t,aP,bP,cP,F) = 1]| 

where t = (p, Gi, Gm, e, P) ^ ^ ^ *^m a,b,c ^ Z*. 
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2.3 Bilinear Pairing Versions of El Gamal Public Key System 

Based on the DBDH assumption, we can construct two bilinear pairing ver- 
sions of El Gamal public key system. El Gamal®'^^ provides Indistinguishability 
against adaptive Chosen Plaintext Attack (IND-CPA) and El Gamal^^^ provides 
Indistinguishability against adaptive Chosen Ciphertext Attack (IND-CCA) in 
the random oracle model. Due to space limitation, we only provide description 
of El Gamal^^^. This is the bilinear pairing version of the scheme presented and 
proved by Fouque and Pointcheval [17]. Description of El Gamal®'^^ can be found 
in the full version of this paper [25]. 

Key generation: Let p, Gi, Gm, e be bilinear pairing parameters, as defined above, 
and G be a generator of Gi. Suppose Xa, Xf, Gr Z* and 0a = e(G, G)^“ and Of, = 
e(G,G)^‘’. The public key pk = (G,Oa,Ob) and the secret key is sk = {xa,Xf,)- 
Choose a hash function Hi : {0, 1}* ^ Zp (a random oracle). 

Encryption: Plaintext A € Gm can be encrypted by choosing taHb 
and computing {Ea,Aa) = (CG, {Eb,Ab) = {tbG,AOl^) and a non- 

interactive zero-knowledge proof c = {c,pa,Pb) of equality of plaintexts between 
{Ea,Aa) and {Eb,Ab). The proof c can be computed by choosing Wa,Wb Gfi Zp 
and computing c = ni{G\\Oa\\Ob\\Ea\\Aa\\Eb\\Ab\\waG\\wbG\\0^‘‘0^'‘), Pa = 
Wa — taC and pb = Wb + tbC. The ciphertext is (i?a, A^, Af,, Af,, c). 

Decryption: Given a ciphertext {Ea, A^, Eb, Ab, c), first check the validity of c by 
verifying 

clHi{G\\0a\\Ob\\Ea\\Aa\\Eb\\Ab\\paG + cEa\\pbG-cEb\\0P^0^,^{Aa/Abr) 
then compute the plaintext A = Aaje{Ea, G)^“ = Ab/e{Eb, G)^'^. 

Security: The security of El Gamal'® system is stated in Theorem 1. 

Theorem 1. El GamaP^^ encryption scheme is IND-CCA if DBDH assump- 
tion holds, in the random oracle model. 

3 The Group Signature Scheme 

3.1 Overview 

Our group signature scheme is built upon two ordinary signature schemes. The 
first one is used in the Join, Iss protocol for the issuer to generate a signature 
{ai,Si) for each Xi, which is randomly generated by both a member and the 
issuer, but known only to the member. The second ordinary signature scheme 
is used in the GSig algorithm as the non-interactive version of a zero-knowledge 
protocol, that proves the signer’s knowledge of {a,, Si) and x,. The security of 
the two signature schemes underlies the security of the group signature scheme. 

Our group signature scheme is constructed in cyclic groups with bilinear 
mappings. For simplicity, we present the scheme when the groups Gi and G 2 
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are the same, however, it can be easily modified for the general case when Gi yf 
G 2 . The users do not perform any pairing operation when signing, but pairing 
operation play an important role in the verification algorithm GVf. Intuitively, 
bilinear pairings allow a party, given A^B,C^D S Gi, to prove that logAB = 
logcD without knowing logAB or logAC. This is not possible in cyclic groups 
without bilinear pairings and where the DDH assumption holds. 



3.2 Descriptions 

We describe our group signature scheme according to the BSZ04 model, which 
is omitted in this paper due to space limitation. Our group signature scheme 
consists of two group managers (the issuer and the opener), and users with 
unique identities t G N (the set of positive integers). Each user can join the group 
and become a group member. The scheme is specified as a tuple =(GKg, 
UKg, Join, Iss, GSig, GVf, Open, Judge) of polynomial-time algorithms which are 
defined as follows. We assume that the group size and the number of queries 
asked by the adversary are polynomially-bounded by the security parameter 1. 

GKg: Suppose I is a security parameter and the Bilinear Pairing Instance Gen- 
erator Q generates a tuple of bilinear pairing parameters t = (p, Gi , Gm, e, P) ^ 
tj(l^), that is also the publicly shared parameters. Choose a hash function 
Ti.2 ■ {0, 1}* ^ Zp, which is assumed to be a random oracle in the security 
proofs. Choose Pq,G,H Gi, Z* and compute Ppub = xP, Oa = 

e(G, G)"^“ and 0b = e(G, G)®G The group public key is gpk = (P, Pq, Ppub, H, G, 
0a, 0b), the issuing key is ik = x, and the opening key is ok = (x'^, x(,). 

UKg: This algorithm generates keys that provide authenticity for messages sent 
by the user in the (Join, Iss) protocol. This algorithm is the key generation algo- 
rithm Ks of any digital signature scheme {Ks, Sign, Ver) that is unforgeable 
against chosen message attacks (UNF-CMA). A user i runs the UKg algorithm 
that takes as input a security parameter and outputs a personal public and 
private signature key pair {upk[i],usk[i]). Public Key Infrastructure (PKI) can 
be used here. Although any UNF-CMA signature scheme can be used, but using 
schemes, whose security is based on DBDH or SDH assumptions, will reduce 
the underlying assumptions of our group signature scheme. One example of such 
scheme is in [5]. 

Join, Iss: In this protocol, a user i and the issuer first jointly generate a random 
value Xi G Z* whose value is only known by the user. The issuer then generates 
(oi. Si) for the user so that e{aiP + Ppub, Si) = e{P, XiP + Pq). The user uses 
usk[i] to sign his messages in the protocol. Note that the formal model assumes 
the communication to be private and authenticated. We also assume that the 
communication is protected from replay attacks. The protocol is as follows. 

1. user i — > issuer: I = yP + rH, where y, r G/j Z*. 

2. user i < — issuer: u,v G_r Z*. 

3. The user computes Xi = uy + v, Pi = XiP. 
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4. user i — > issuer: Pi and a proof of knowledge of {xi,r') such that Pi = XiP 
and vP + ul — Pi = r'H (see [12] for this proof). 

5. The issuer verifies the proof, then chooses Ui different from all corre- 

sponding elements previously issued, and computes Si = ^ {Pi + Pq). 

6. user i < — issuer: ai,Si. 

7. The user computes Ai = e{P, Si), verifies if e{aiP + Ppub, Si) = e{P, XiP + 
Po), and stores the private signing key gsk[i] = {xi,Ui, Si, Ai). Note that 
only the user knows Xi. The issuer also computes Ai and makes an entry in 
the table reg\ reg[i] = (i,Ai, (Join, Iss) transcript). 

GSig: A group signature of a user i shows his knowledge of {ai. Si) and a secret 
Xi such that: e{uiP + Ppub, Si) = e{P, XiP + Pq). The signature does not reveal 
any information about his knowledge to anyone, except for the opener, who can 
compute Ai by decrypting an encryption of that value. The algorithm for a user 
i to sign a message m G {0, 1}* is as follows. 

1. Encrypt Ai by El Gamal®-^^ with public key (G, 0a, Ob) as {Ea = tG, Aa = 
AiOl,Eb,Ab,<;). 

2. Perform the non-interactive version of a protocol, which we call the Signing 
protocol, as follows. Generate r\, ..., r^, ko, ..., k^ Gr Z* and compute 

(a) U = ri{aiP + Ppub); V = r2Si; W = rir2(xiP + Pg); X = T2U + rgH; 
T\ = kiP + fePpiih -l- kgp[; T2 = kgP -\- fePbj Tg = k^U + kgPl; T4 = 

_ kiEa' n = O^^ A~^‘^. 

(b) c = H2{gpk\\Ea\\Aa\\EbUbM\U\\V\\W\\X \\T,\\...\\T,\\n\\m). 

(c) Gompute in Z^: sq = fco -I- erg; si = ki + cr\r 2 ai; 52 = ^2 + crir2; 
S3 = ^3 + cr\r 2 Xi; Si = ki + cr 2 ] S5 = ^5 + cr 2 t. 

3. Output the signature (c, sq, ..., S5, U, V, W, X, Ea, Aa, Eb, Ab, c) for m. 

GVf: The verification algorithm for m, (c, Sq: S 5, U, V, W, X, Ea, Aa, Eb, Ab, c) 

outputs accept if and only if verifying the proof c outputs accept and the following 
two equations hold: e{U, V) = e{P, W) and c = 7f2(P||fb||-f’p«h||J?||G||G||iJa||2lo 
\\Eb\\AbMU\\V\\W\\X\\siP+S2Ppub + soH-cX\\s3P+S2Po-cW\\s^U+soH- 
cA II S5G - SiEa 1 1 01^ A-^-e{P, cV) \\m). 

Open: To open m and its valid signature (c, sq, ss, U, V, W, X, Ea, Aa, Eb, Ab, 
c) to find the signer, the opener performs the following steps. 

1. Use GVf algorithm to check the signature’s validity. If the algorithm rejects, 
return (0,e), where e denotes an empty string. 

2. Gompute Ai = Aae{Ea,G)~^‘^ and find the corresponding entry i in the 
table reg. If no entry is found, return (0,£). 

3. Return reg[i] and a non-interactive zero-knowledge proof g of knowledge of 
x'a so that Oa = e{G, G)^“ and Aa/Ai = e{Ea, G)^<^ (see [12] for this proof). 

Judge: On an output by the Open algorithm for a message m and its signature 
oj, the Judge algorithm is performed as follows: 
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1. If Open algorithm outputs (0,£), run GVf algorithm on m,uj. If GVf rejects, 
return accept; otherwise, return reject. 

2. If Open algorithm outputs {reg[i],Q), return reject if one of the following 
happens: (i) on to, ui, GVf algorithm rejects; (ii) verification of the proof 
Q rejects; (iii) the (Join, Iss) transcript is invalid with regard to upk[i\] (iv) 
Ai e{P, Si) where Si is extracted from the (Join, Iss) transcript. Otherwise, 
return accept. 

Remarks: 

— Our scheme is trapdoor-free. This improves efficiency and manageability, and 
various groups can share the same initial set-up p, Gi, Gm, e, P, Pq, G, H. 

— Our Signing protocol achieves honest verifier perfect zero-knowledge and 
does not rely on any complexity assumption. This indicates a higher level of 
unconditional security: from a signature, an adversary with unlimited power 
(but without access to the reg table) can compute only a part of the signer’s 
registration information {Si), whereas, in the ACJTOO and KY04 schemes, 
the adversary can find all parts of the signer’s private signing key. 

3.3 Security Proofs 

Theorem 2. The group signature scheme QSl provides Correctness. 

Theorem 3. The group signature scheme QSl provides Anonymity in the ran- 
dom oracle model if the Decisional Bilinear Diffie- Heilman assumption holds. 

Theorem 4. The group signature scheme QSl provides Traceability in the ran- 
dom oracle model if the q-Strong Diffie- Heilman assumption holds, where q is 
the upper bound of the group size. 

Theorem 5. The group signature scheme QSl provides Non-frameability in the 
random oracle model if the Discrete Logarithm assumption holds over the group 
Gi and the digital signature scheme (Kg, Sign, Ver) is UNF-CMA. 

Proofs of these theorems can be found in the full version [25]. We provide 
here the proofs of two important properties that underlie these theorems, i. e. 
the Zero-knowledge property of the Signing protocol in GSig algorithm and the 
Coalition-Resistance of and QS2. In our definition, Coalition-Resistance 
intuitively means that a colluding group of signers, with the knowledge of the 
opening key and access to some oracles, should not be able to generate a new valid 
user private signing key. For a group signature scheme QS, a PPT adversary A, 
a PPT predicate hi that can determine the validity of a user private signing key, 
and any security parameter I G N, the formula of the experiment for Coalition- 
Resistance is as follows. 

Experiment Expg^^]^^^{l) 

{gpk,ik,ok) GKg(R); GU ^ 0 ; HU ^ 0 

gsk' ^ A{gpk, ok : GrptU(-, •), SndTol(-, •), AddU(-), RReg(-), USK(-)) 

If gsk' G {gsk[i]\ i G GU U HU} then return 0 else return U{gpk,gsk') 
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HU is a set of honest users; CU - a set of corrupted users; GSet - a set of 
message-signature pairs ; AddU(-) - add user oracle; CrptU(-,-) - corrupt user 
oracle; SndTol(-,-) - send to issuer oracle; USK(-) - user secret keys oracle; 
RReg(-) - read registration table oracle. The group signature scheme QS pro- 
vides Coalition- Resistance if the following function is negligible. 

= 1 ] 

Lemma 1. The interactive Signing protocol underlying the GSig algorithm is a 
(honest-verifier) perfect zero-knowledge proof of knowledge of {at, Si), Xi and t 
such that e{aiP -\- Ppub, Si) = e{P, XiP -\- Pq), Ea = tG and Aa = e{P, S'i)6** . 

Proof. The proof for completeness is straightforward. The proofs of Soundness 
and Zero- knowledge property are as follows. 

Soundness: If the protocol accepts with non-negligible probability, we show that 
the prover must have the knowledge of (ai,Si), Xi and t satisfying the rela- 
tions stated in the theorem. Suppose the protocol accepts for the same commit- 
ment {U,V,W,X,Ti,...,T4,n), two different pairs of challenges and responses 
(c, so,...S5) and (c', Sq, ..., 4)- Let fi = A^,i = 0,...,5, then: = fiP -\- 

fiPpub + W = kP+ /2P0; X = UU + foH; Ea = hffi^G; e{P,V) = 
OfPAt- soU= hffi^P + hffi^Ppub- 

Let a, = /1/2 \ Si = k V, x^ = fsk \ t = 4/4 \ then Ea = tG, Aa = 
e{P,Si) 0 a and e{a^P -\- Ppub, S^) = e{P,XiP -\- Pq), as e{U,V) = e{P,W). So the 
prover have the knowledge of (oi, Si), Xi and t satisfying the relations. 

Zero-knowledge: The simulator chooses c, sq,...S5 &r Zp, b Z*, X,V Gr Gi 
and compute U = bP, W = bV, Ti = siP -\- S2Ppub + sqPI — cX, T2 = S3P -\- 
S2P0 — cW, T3 = S4U -\- sqEI — cX, T4 = S5G — S4Ea and II = cV). 

We can see that the distribution of the simulation is the same as the distribution 
of the real transcript. 

Lemma 2. If the q-SDH assumption holds, then the group signature schemes 
QSl and GS 2 , whose group sizes are bounded by q, provide Coalition-Resistance, 
where the predicate lA is defined as: 

U{{P, Pq, Ppub, ■■■) , {xi,Oi, Si, Ai)) = 1 <S4> e{aiP -I Ppub, Si) = e{P,XiP -I Pq). 

Proof. We prove the lemma for both ^51 and GS 2 . Suppose there is a PPT 
adversary A that can break the Coalition-Resistance property of or ^52 
with respect to the predicate U defined above. Let the set of private signing keys 
generated during ^’s attack be {{xi, Oi, Si, and let his output be a new 

private signing key (x* , a* , S* , A*) with non-negligible probability (that means 
{a* ,S*) ^ {(oi, We show a construction of a PPT adversary B that can 

break the g-SDH assumption. Suppose a tuple challenge = {Q, zQ, . . . , z'^Q) is 
given, where z &r Z*; we show that B can compute (c, l/{z-\-c)Q), where c € Zp 
with non-negligible probability. We consider two cases. 
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Case 1: This is a trivial case, where A outputs S* € {S*!, S'^} with non- 
negligible probability. In this case, B chooses Z* and G,H Gi, 

gives A the group signature public key {P = Q,Po = zQ, P^ub = xP, H, G, 0a = 
e{G,G)^'<^,0b = e{G,GY't>) and the opening key (no in case of 

QS2), and simulates a set of possible users. Then B can simulate all oracles 
that A needs to access. Suppose a set of private signing keys {{xi, at, Si, Ai)}Yi 
is generated and A outputs a new {x* , a* , S* , A*) with non-negligible proba- 
bility such that S* G {S'!, ..., S'g}. Suppose S* = Sj, where j G {!,..., g}, then 
-^(x*P + Po) = ^^{xjP + Po), so {aj-a*)Po = {a*Xj -ajX* +XjX-x*x)P. 
Therefore, 0 is computable by B from this, and so is (c, l/(z -I- c)Q), for any 
c G Zp . 

Case 2: This is when the first case does not hold. That means A outputs S* ^ 
{S*!, ..., S'g} with non-negligible probability. Then B plays the following game: 

1. Generate a,Ui,Xi G_r Z*, i = l,...,g, where a^s are different from one an- 
other, then choose m Gr {!,..., < 7 }. 

2. Let X = z — am {B does not know x), then the following P,Ppub,Po are 
computable by B from the tuple challenge. 

q 

P= {z + a^-am)Q 
<? 

Ppub ~ xP — Y am^ {z ai am)Q 

q q 

Pq — cx (z a i am)Q Xm {z A ai am)Q 

i—l i—l.i^m 

3. Generate x'a, G_r Z* and G, H G_r Gi and give A the group signature pub- 
lic key {P, Pq, Ppub, H,G,0a = e{G,GY’<^ ,Ob = e{G,GYY the opening 
key {x'a,x'Y (no a;(,, in case of QS2) and simulates a set of possible users. 

4. With the capabilities above, B can simulate oracles CrptU(-,-), RReg(-) and 
USK(-)) that A needs to access. For AddU(-) or SndTol(-, •), B simulates the 
addition of an honest or corrupted user i as follows. As playing both sides of 
the Join, Iss protocol or being able to extract information from A, B simulates 
the protocol as specified so that the prepared ai , Xi above are computed in 
the protocol to be the corresponding parts of the user i’s private signing key. 
B can compute Si as follows: 

- If z = m, then Sm = -^;^{xmP + Po) = « OLi, + a* - a^)Q- 
This is computable from the tuple challenge. 

- If z yf TO, then Si = -^^{xiP + Pq) = {Xi - Xm) “ 

am)Q + + o-j — cim)Q- This is computable from the tuple 

challenge. 

5. Get the output {x* ,a* ,S* , A*) from A, where S* = 

+ X* - Xm) Ui=lM^^^ + 



M^*p + Po) 
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We can see that the case az+x* —Xm = a{z+a* —Um) happens with negligible 
probability, as it results in S* = Sm- So the case az + x* — Xm ^ a{z + a* — am) 
happens with non-negligible probability ei. Suppose in this case, the probability 
that a* G {ai,...,Oq} is £2. Then the probability that a* ^ {oi, ..., aq}\{am} is 
£i — ^^£2 (as m {1, ...,(7}), which is also non-negligible if q is polynomially 
bound by the security parameter 1. If az + x* — Xm ^ ck(z + a* — am) and 
a* ^ {ai, ..., ag}\{om}, then Q is computable from the tuple challenge 

and S* and so B can compute (c, j^Q), where c= a* — am- 

4 Variations 

4.1 Weak Anonymity Requirement 

We introduce this security requirement to account for a class of group signa- 
ture schemes, including ACJTOO scheme, which can not be proved to achieve 
Anonymity requirement. Weak Anonymity requirement is defined exactly the 
same as Anonymity requirement, except that the adversary does not have ac- 
cess to the Open(-,-) oracle. In practice, when the opener is assumed to be 
uncorrupted as in Anonymity requirement, it could be hard for the adversary to 
have access to the Open oracle. As Open oracle is not used in the conventional 
list of requirements, the same argument as in [4] shows that Weak anonymity. 
Traceability and Non-frameability are sufficient to imply the conventional list of 
requirements. 

4.2 A Variant Group Signature Scheme, GS2 

The scheme ^52 is the same as except that in the signature, Ai is encrypted 
by El Gamal^^^ encryption scheme instead of El Gamal'®^^. So in GKg, and 
Ob are not generated and in GSig, Ai is encrypted by El Gamal®'^^ public key 
(G, 6>a) as {Ea = tG,Aa = AiOl). So there is no Eb, Ab or c in the signature 
and in the executions of GSig, GVf, Open and Judge algorithms. Security of QS2 
is stated in Theorem 6, whose proof is shown in the full version [25]. 

Theorem 6. ^52 provides Correctness. QS2 provides Weak Anonymity if the 
Decisional Bilinear Diffie- Heilman assumption holds. QS2 provides Traceability 
in the random oracle model if the q-Strong Diffie- Heilman assumption holds, 
where q is the upper hound of the group size. QS2 provides Non-frameability in 
the random oracle model if the Discrete Logarithm assumption holds over the 
group Gi and the digital signature scheme (Ks, Sign, Ver) is UNF-CMA. 

4.3 Do ACJTOO and GS2 Schemes Provide Anonymity? 

We first state the security of the AGJTOO scheme in Theorem 7. The AGJTOO 
scheme refers to the scheme proposed in [1], plus some simple extensions to 
accommodate the Judge algorithm (defining the UKg algorithm as in our scheme, 
using usk[i] to sign messages in the Join, Iss protocol, and verifying signatures 
in the Open and Judge algorithms). The methodology of the proof for Theorem 
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7 is very similar to the proof of Theorem 6, and the exact details of each step 
can be extracted from the proofs in [19]. 

Theorem 7. The ACJTOO scheme provides Correctness; Weak Anonymity if 
the DDH-Compo-KF assumption holds; Traceability in the random oracle model 
if the Strong RSA assumption holds; Non-frameability in the random oracle 
model if the Discrete Logarithm assumption holds over the quadratic residues 
group of a product of two known large primes, and the digital signature scheme 
for UKg is UNF-CMA. (See [19] for assumptions used in this theorem). 

It is an open question if the ACJTOO and QS2 schemes provide Anonymity, 
in line with the open problem whether a combination of an El Carnal encryption 
(IND-CPA) and a Schnorr proof of knowledge of the plaintext can provide IND- 
CCA. This combination has been proved to provide IND-CCA in the random 
oracle model, but the proof has required either another very strong assumption 
[29] or is in generic model [27]. In ACJTOO and GS2 signatures, the identity- 
bound information is encrypted by variations of El Carnal encryption and the 
other part of the signatures proves knowledge of the information. The Open 
oracle plays a similar role as the Decryption oracle in the model of IND-CCA. 

4.4 Variants Based on the DDH Assumption 

We can build variants of ^51 and GS2, whose security is based on the DDH as- 
sumption over the group Gm instead of the DBDH (DDHV) assumption. Specif- 
ically, Ai will be encrypted by the normal El Carnal encryption scheme or the 
twin-paradigm extension of El Carnal encryption scheme (proposed in [17]). The 
Open algorithm in these variant schemes requires one less pairing operation than 
in 551 and 552. 

We can actually provide a group signature with 4 options, where the users, 
the issuer and the opener use the same keys for all options. The first two options 
are 551 and 552, offering smaller signature size and more efficient signing and 
verification. The last two options are the variant schemes based on the normal 
DDH assumption, with more efficient opening. 



5 A Traceable Signature Scheme 

We extend 552 to be a traceable signature scheme T5 =(Setup, Join, Sign, 
Verify, Open, Reveal, Trace, Claim, Claim-Verify) with similar advantages over the 
only other traceable signature scheme [18]. 

Setup: This is the same as GKg for 552, but the group public key also includes 
a, Q Gr Z*. The group public key is gpk = {P, Pq, Ppubi Q, H, G, 0a), the issuing 
key is ik = x, and the opening key is ok = x'a. Choose a hash function TC^ : 
{0, 1}* ^ Zp (a random oracle). 

Join: This protocol is the same as the Join, Iss protocol in Section 3.2, except for 
the following. The GM also chooses Xi Gr Z*, computes Si = ;p;]^{Pi+XiQ+Po) 
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at step 5 and sends the user a^, Si, Xi at step 6 . In the last step, the user computes 
Ai = e{P,Si), verifies if e{aiP + Ppub, Si) = e{P, XiP + XiQ + Pq) , and stores the 
private signing key gsk[i] = {xi,Xi,ai, Si, Ai). The GM also computes Ai and 
stores it with the protocol’s transcript. 

Sign: The algorithm for an user i to sign a message m G { 0 , 1 }* is as follows. 

1 . Compute Ea = tG, Aa = A0l n = OfG T2 = 9^, T3 = 0 -^"' and 

T4 = , where t, r, r' €r Z*. 

2 . Generate ri, ..., ra, fco, fee Gfl and compute 

(a) U = ri{aiP + Ppub); V = raS'^ W = rir2(x*P + + Pg); X = raC/ + 

rgH; Ti = kiP+k 2 Ppub + koH; T2 = fcsP+fceQ + fePo; Z3 = kill + koH; 

Ti = kbG - kiEa, n = etA-’^^; Ifi = p2 = 

(b) c = 7 f 3 (P||Po||Pp« 6 ||i?||G|| 0 ||P,|K||P,||^||c||G||G||IT||X||Ti||...||T 4 
\\n\\E^\\E2\\m). 

(c) Compute in Z^: 59 = ^0 + era; si = fci + crir2aj; 52 = ^2 + cr\r2', 
sg = kg + crir2Xi] S4 = k4 + 0x2] ss = ^5 + cr 2 t; se = ^6 + crir 2 Xi 

3 . Output the signature (c, Sq, ..., Sg, U, V, W, X, Ea, Aa, Ti,T2, ^3,^4) for m. 

Verify: The verification algorithm for m, (c, sg, ■■■, sg, U, V, W, X, Ea, Aa, ^ 1 ,^ 2 , 
^3, ^4) outputs accept if and only if the following two equations hold: (i) e{U, V) 
= e{P,W) and {ii) c = ng{P\\Pg\\Ppub\\H\\G\\e\\Ea\\Aa\\Eb\\Ab\\g\\U\\V\\W\\X 
||siP + S2PpubP SgEl — cX\\sgP + SgQ + S2P0 ~ cTT| |s4P + SgP[ — cX\\sbG — S4Ea 
1 1 e(P, cV) 1 1 1 1 Tf \\m) 

Open: To open m and its valid signature (c, sq, ..., ss, U, V, W, X, Ea, Aa, Pi, T2, 
Tg,T4) to find the signer, the GM computes Ai = AaC{Ea,G)~^<^ and finds the 
corresponding entry i in the table of stored Join transcripts. The GM returns i 
and a non-interactive zero-knowledge proof g of knowledge of x'a so that 9a = 
e{G,G)^‘^ and Aa/Ai = e{Ea,G)^‘^ (see [ 12 ] for this proof). 

Reveal and Trace: Given the Join transcript of user i, the GM recovers the 
tracing trapdoor tracci = afj. Given tracci and a message-signature pair, a des- 
ignated party recovers Pi and P2 and checks if Pi = T^*. If the equation holds, 
the tracer concludes that user i has produced the signature. 

Claim and Claim- Verify: Given a message-signature pair, a user i can claim 
that he is the signer by recovering P3 and P4 and producing a non-interactive 
proof of knowledge of the discrete-log of P3 base P4. Any party can run Claim- 
Verify by verifying the signature and the proof. 

Security. The security of T 5 is stated in Theorem 8. The proof of this theorem 
uses techniques similar to those in [ 18 ] and arguments similar to the proofs for 
our group signature schemes. 

Theorem 8. In the random oracle model, PS provides (i) security against 
misidentification attacks based on the q-SDH and the DDH assumptions, where 
q is the upper bound of the group size; (ii) security against anonymity attacks 
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based on the DBDH and DDH assumptions; (Hi) security against framing attacks 
based on the DL assumption. 



6 Efficiency 

The sizes of signatures and keys in our schemes are much shorter than those used 
in the Strong-RSA-based schemes at a similar level of security. This difference 
grows when higher level of security is required. In this section, we compare sizes 
in our new group signature schemes with those in ACJTOO scheme. We assume 
that our scheme is implemented using an elliptic curve or hyperelliptic curve 
over a finite field, p is a 170-bit prime, Gi is a subgroup of an elliptic curve 
group or a Jacobian of a hyperelliptic curve over a finite field of order p. Gm is a 
subgroup of a finite field of size approximately A possible choice for these 
parameters can be found in [8], where Gi is derived from the curve E/GF{3‘') 
defined by — a; -I- 1. We assume that system parameters in ACJTOO 

scheme are e = 1.1, Ip = 512, k = 160, Ai = 838, A2 = 600, 71 = 1102 and 
72 = 840. We summarize the result in Table 1. 



Table 1. Comparison of sizes (in Bytes) 





Signature 


gpk 


gsk 


ik 


ok 


Security 


ACJTOO 


1087 


768 


370 


128 


128 


Weak Anonymity 


gsi 


597 


363 


192 


22 


44 


Anonymity 


gs2 


384 


235 


192 


22 


22 


Weak Anonymity 



Acknowledgements. Authors thank anonymous referees of Asiacrypt 2004 for 
constructive comments and Fangguo Zhang for helpful discussions. 



References 

1 . G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure 
coalition-resistant group signature scheme. CRYPTO 2000, Springer- Verlag, LNCS 
1880, pp. 255-270. 

2. G. Ateniese, and B. de Medeiros. Efficient Group Signatures without Trapdoors. 
ASIACRYPT 2003, Springer- Verlag, LNCS 2894, pp. 246-268. 

3. G. Ateniese, and B. de Medeiros. Security of a Nyberg-Rueppel Signature Variant. 
Cryptology ePrint Archive, Report 2004/093, http://eprint.iacr.org/. 

4. M. Bellare, H. Shi, and C. Zhang. Foundations of Group Signatures: The Case of 
Dynamic Groups. Cryptology ePrint Archive: Report 2004/077. 

5. D. Boneh, and X. Boyen. Short Signatures Without Random Oracles. EURO- 
CRYPT 2004, Springer- Verlag, LNCS 3027, pp. 56-73. 

6. D. Boneh, and X. Boyen. Efficient Selective-ID Secure Identity-Based Encryption 
Without Random Oracles. EUROCRYPT 2004, Springer- Verlag, LNCS 3027, pp. 
223-238. 





386 L. Nguyen and R. Safavi-Naini 



7. D. Boneh, X. Boyen, and H. Shacham. Short Group Signatures. CRYPTO 2004, 
Springer- Verlag, LNCS, to appear. 

8. D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. 
ASIACRYPT 2001, Springer- Verlag, LNCS 2248, pp. 514-532. 

9. J. Camenisch. Efficient and generalized group signatures. EUROCRYPT 1997, 
Springer- Verlag, LNCS 1233, pp. 465-479. 

10. J. Camenisch, and A. Lysyanskaya. Dynamic Accumulators and Application to 
Efficient Revocation of Anonymous Credentials. CRYPTO 2002, Springer- Verlag, 
LNCS 2442, pp. 61-76. 

11. J. Camenisch, and A. Lysyanskaya. Signature Schemes and Anonymous Credentials 
from Bilinear Maps. CRYPTO 2004, Springer- Verlag, LNCS, to appear. 

12. J. Camenisch, and M. Michels. A group signature scheme with improved efficiency. 
ASIACRYPT 1998, Springer- Verlag, LNCS 1514. 

13. J. Camenisch, and M. Stadler. Efficient group signature schemes for large groups. 
CRYPTO 1997, Springer- Verlag, LNCS 1296. 

14. D. Chaum, and E. van Heyst. Group signatures. CRYPTO 1991, LNCS 547, 
Springer- Verlag. 

15. L. Chen, and T. P. Pedersen. New group signature schemes. EUROCRYPT 1994, 
Springer- Verlag, LNCS 950, pp. 171-181. 

16. A. Fiat, and A. Shamir. How to prove yourself: practical solutions to identihcation 
and signature problems. CRYPTO 1986, Springer- Verlag, LNCS 263, pp. 186-194. 

17. P. Fouque and D. Pointcheval, Threshold Cryptosystems Secure against Chosen- 
Ciphertext Attacks, ASIACRYPT 2001, Springer- Verlag, LNCS 2248, pp. 351-368. 

18. A. Kiayias, Y. Tsiounis and M. Yung. Traceable Signatures. EUROCRYPT 2004, 
Springer- Verlag, LNCS 3027, pp. 571-589. 

19. A. Kiayias, and Moti Yung. Group Signatures: Provable Security, Efficient Con- 
structions and Anonymity from Trapdoor-Holders. Cryptology ePrint Archive: Re- 
port 2004/076. 

20. J. Killian, and E. Petrank. Identity escrow. CRYPTO 1998, Springer- Verlag, LNCS 
1642, pp. 169-185. 

21. S. Kim, S. Park, and D. Won. Convertible group signatures. ASIACRYPT 1996, 
Springer- Verlag, LNCS 1163, pp. 311-321. 

22. A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. SAC 1999, 
Springer- Verlag, LNCS 1758. 

23. M. Michels. Comments on some group signature schemes. TR-96-3-D, Department 
of Computer Science, University of Technology, Chemnitz-Zwickau, Nov. 1996. 

24. S. Mitsunari, R. Sakai, and M. Kasahara. A new traitor tracing. lEICE Trans. Vol. 
E85-A, No.2, pp. 481-484, 2002. 

25. L. Nguyen, and R. Safavi-Naini. Efficient and Provably Secure Trapdoor-free Group 
Signature Schemes from Bilinear Pairings. Full version. 

26. L. Nguyen. Accumulators from Bilinear Pairings and Applications. CT-RSA 2005, 
Springer- Verlag, LNCS, to appear. 

27. P. Schnorr and M. Jakobsson. Security of signed El Carnal encryption. ASI- 
ACRYPT 2000, Springer- Verlag, LNCS 1976, pp. 73-89. 

28. V. To, R. Safavi-Naini, and F. Zhang. New traitor tracing schemes using bilinear 
map. DRM Workshop 2003. 

29. Y. Tsiounis and M. Yung. On the security of El Carnal based encryption. PKC 
1998, Springer- Verlag, LNCS 1431, pp. 117-134. 

30. F. Zhang, R. Safavi-Naini and W. Susilo. An Efficient Signature Scheme from 
Bilinear Pairings and Its Applications. PKC 2004, Springer- Verlag, LNCS 2947, 
pp. 277-290. 




On the Security of 
MOR Public Key Cryptosystem 



In-Sok Lee^’*’^, Woo-Hwan Daesung Kwon^, 

Sangil Nahm^’’!', Nam-Seok Kwak^’*’^, and Yoo-Jin Baek^’’^ 

^ ISaC, Department of Mathematics, Seoul National Univ., Seoul, 151-747, Korea 
{islee, whkim, kwarc}@math. snu. ac .kr 
^ National Security Research Institute (NSRI), Taejon, 305-350, Korea 
ds_kwon@etri . re . kr 

® Department of Mathematics, Purdue University, West Lafayette, IN 47907, USA 

snahmSpurdue . edu 

^ Multimedia Lab., Samsung Electronics Co., Suwon, 442-742, Korea 
yoo j in . baekSsamsung . com 



Abstract. For a finite group G to be used in the MOR public key cryp- 
tosystem, it is necessary that the discrete logarithm problem(DLP) over 
the inner automorphism group Inn(G) of G must be computationally 
hard to solve. In this paper, under the assumption that the special con- 
jugacy problem of G is easy, we show that the complexity of the MOR 
system over G is about log|G| times larger than that of DLP over G 
in a generic sense. We also introduce a group-theoretic method, called 
the group extension, to analyze the MOR cryptosystem. When G is con- 
sidered as a group extension of by a simple abelian group, we show 
that DLP over Inn(G) can be ‘reduced’ to DLP over lnn{H). On the 
other hand, we show that the reduction from DLP over Inn(G) to DLP 
over G is also possible for some groups. For example, when G is a nilpo- 
tent group, we obtain such a reduction by the central commutator attack. 

Keywords: MOR cryptosystem, discrete logarithm problem, group ex- 
tension, central commutator attack. 



1 Introduction 

At Crypto 2001, Paeng et al. [8] proposed the MOR public key cryptosystem 
using finite non-abelian groups. For a group G to be used in the MOR public key 
cryptosystem, it is necessary that the discrete logarithm problem(DLP) over the 
inner automorphism group Inn(G) of G must be computationally hard to solve, 
and there must be an efficient way to represent group elements as products of 
the specified generators of G. Furthermore, we expect the security of the MOR 
system to be something ‘mor(e)’ than that of DLP over G. Also it should be 



* Supported in part by KRF grant ^2004-070-000001 and BK21 Project in 2004. 
^ Partially supported by NSRI. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 387-400, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 




388 



I.-S. Lee et al. 



noted that the difficulty of DLP depends not only on the algebraic structure of 
the group, but also on how elements of the group are represented. 

Despite of many cryptographic advantages(see [8]) of the MOR cryptosystem, 
the groups proposed so far have turned out to be unsatisfactory (see [7,9, 14]). 

In this paper, we are not trying to suggest new candidates for the groups 
G to be used in the MOR cryptosystem. We would rather intend to reveal the 
reasons why it is not easy to find good candidates for G. Thus, we hope that this 
paper helps searching for suitable groups for the MOR system. 

First, in Section 2, we compute the complexity of finding the secret keys of 
MOR system in a generic sense. Under the assumption that the special conju- 
gacy problem of G is easy, we show that the complexity of MOR system over G 
is about log |G| times larger than that of DLP over G in a generic sense. This 
result is somewhat unexpected, since our intuitive expectation for the generic 
complexity of MOR system is about |.^(G)| times larger than that of DLP 
over G. 

Next, in Section 3, using the well-known theory of group extensions, we show 
that it is possible to ‘reduce’ the problem of finding the secret keys of MOR 
system over G to that of the MOR system over (smaller) subgroups H of G. Our 
method is a generalization of various attacks given in [7,9, 14]. 

In Section 4, we intend to find a reduction algorithm, which reduces MOR 
system over G to DLP over G. (If this reduction were efficient enough, MOR 
system would have less advantage in security than other public key cryptosystem 
based on DLP over G.) We show that this reduction is possible for the groups 
which are nilpotent or ‘nearly’ nilpotent. We call our reduction the central com- 
mutator attack and we note that this attack is generic. 

In this paper, we use the following standard notations : If iV is a normal 
subgroup of G and g G G, the order of g is denoted by |g| and the image of g 
in G/N is denoted by g. We let Inn(g) be the inner automorphism of G induced 
by g, that is, 

Inn(g)(a;) = g~^xg, {x G G) 

and we let Inn(G) = {Inn( 5 ) | g G G} be the subgroup of inner automorphisms 
in Aut(G). We note that Inn(G) « GjZ{G), where 

Z{G) = {z G G \ zg = gz for all g G G} 



is the center of G. 



2 MOR Cryptosystem 

2.1 Description of MOR Cryptosystem 

The MOR cryptosystem [8] is described as follows. 

- Bob’s Public key : (Inn( 5 ), Inn(g®)) 

- Bob’s Secret key: An integer s(mod [g]), where g G GjZ{G) 
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It should be noted that for a fixed generating set {7* | z G /} of G, a public 
key (Inn(5), Inn(5®)) = ((/?, is described by the data {<^(7*)} and {(/?®(7i)}. 

Encryption 

1. Alice chooses a random integer r and computes (Inn(g®))’’ = Inn(^®’'). 

2. Alice computes E = Inn((7'*’')(M). 

3. Alice computes /z = (Inn ((7))’’ = Inn(g’’). 

4. Alice sends (E,fj,) to Bob. 

Decryption 

1. Bob computes = Inn(5“®’’). 

2. Bob recovers M = ^~^{E). 

2.2 MOR Cryptosystem and Related Problems 

For simplicity, let us write DLP(G) for DLP over G. Thus DLP(Inn(G)) stands 
for DLP over the inner automorphism group Inn(G) of G. 

The security of MOR system is related with the following problems : 

- [Special Conjugacy Problem] : For a given G Inn(G), find h G G such that 
Inn(/i) = ip. 

- [DLP(Inn(G))] : Given if,ip^ G Inn(G) for some s G Z, find s(mod |v3|). 

Throughout this paper, let us assume(agree(?)) that the special conjugacy 
problems over G are not hard to solve. (Otherwise, one can exploit the cryptosys- 
tem using the hardness of the special conjugacy problem over G.) Therefore, for 
given Inn(g), we may find g' € G satisfying Inn((7) = Inn(5'). It means that 
g' = gz for some 2 ; G Z{G). In this case, DLP(Inn(G)) can be restated as fol- 
lows : 



Find an integer s(mod jgj) for given g, g^z G G, where z G Z{G), 



or 

Find an integer s(mod|5|) for given g, g G GjZ(G). 

It means that DLP(Inn(G)) is equivalent to DLP(G/Z(G)). 

In particular, if |.Z'(G)| is sufficiently large, there is little possibility that g’^z 
is contained in the cyclic subgroup (5) for a randomly chosen z G Z(G). Hence, 
existing algorithms for solving DLP(G) do not seem to be directly applied to 
DLP(Inn(G)). On the contrary, if |^(G)| is too large, then Inn(G) becomes too 
small to be used for MOR system. Therefore, we conclude that the appropriate 
size of Z{G) is crucial in MOR system. 

2.3 Central Attack 

The crucial role of Z{G) gives rise to the following intrinsic attack against MOR 
system. 

Assume that |Z(G)| = m is known. For given g and g‘^z for some s G Z and 
z G Z{G), we get hi = g^ and /12 = (5®^)™ = {g'^Y ■ Now, solving DLP((g™)) 
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or DLP(G), we get s(mod |g™|), which gives a partial information of the secret 
key s. Of course, may be the identity of G in the extreme case(for example, 
see [8, p. 477]). 



2.4 Complexity of Generic Algorithm on MOR System 

Since middle of 90’s, a lot of works [11,4,5,6] have been done on generic al- 
gorithms for DLP and their lower bounds of complexity. Algorithms which do 
not exploit any particular property of representations of the group are called 
generic, and the baby-step giant-step algorithm is one of the generic algorithms 
for DLP. In generic algorithms for DLP, only group operations and equality tests 
are used. 

Let {7i 1 i G /} be a given generating set of G for MOR system, and a 
public key {(p, ip^) be given by { <^(7*)} { (^^(7^)}. Assuming that the special 

conjugacy problem over G is not difficult as before, we get g and z for some 
unknown z G Z{G). 

Let MuIg{- ,■), Invai') Eguci-,-) denote the group operation (multi- 
plication and inversion) oracles and the equality test oracle of G, respectively. 
Now, consider the factor group G/Z{G). The generic operations of GlZ{G) can 
be realized using those of G as follows. 

• Group operation oracle of G/Z(G) : 

MuIg/z{G){9i^92) = MuIg{9i,92), 

InvG/z(G){9) = InvG{9)- 



• Equality test oracle of GjZ{G): 



EquG/z(G) ( 51 ) 52 ) 



True 

False 



(if 5152 Si = 7*5 i 52 ^ for all i G I), 
(otherwise) . 



One equality test in GlZ{G) requires at most (2j/j + 1) calls of MuIg, 1 call 
of InvG and ]/] calls of EquG- Under the assumption that ]/] = 0(log [G]), we 
have the following result as a direct application of the Pohlig-Hellman algorithm 
in [10]. 



Theorem 1. Let a public key of MOR system (Inn((7), Inn(y®)) be given, and 
^et 151 = , where pi are distinct primes. Under the assumption that 

|/| = 0(log|G|) and that the special conjugacy problem over G is easy, the 
secret key s can be computed by 0(^ei(log|5| -F pi) log |G|) group operations 
and equality tests of group elements. If a memory space for storing \ytp\ group 
elements (where p is the largest prime factor of \g\) is available, the running time 
can be reduced to Ci(log |p| + y^logpi) log |G|). 

Proof. By the above discussion, one equality test between two elements of GjZ{G) 
requires 0(log |G|) group operations and equality tests of elements of G. The sec- 
ond assertion follows directly from [10]. □ 
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Thus, in a generic sense, the complexity of computing the secret key of MOR 
system is about log |G| times larger than that of solving DLP(G). 

This result is somewhat unexpected, since our intuitive expectation for the 
generic complexity of MOR system is about \Z(G)\ times larger than that of 
DLP over G. (If the equality test oracle of G/Z{G) were; “check if gi = g^z for 
each z G Z{G)” , then we would obtain the result matching our intuition. So, the 
point is that one equality test between two elements of GjZiG) requires only 
0(log |G|) group operations and equality tests of elements of G.) 



3 Group Extensions and MOR Cryptosystem 

Since it does not seem easy to find a good candidate for MOR cryptosystem 
from the list of well-known finite groups, we consider an inductive argument as 
follows. Suppose that the group G is good for MOR system, and suppose that G 
has the smallest order among good candidates. Then we think of G as a group 
extension of a maximal normal subgroup H of G, which is not suitable for MOR 
system by the hypothesis. 

In this section, generalizing the various ideas of [7,9, 14], we show that it is 
possible to w-reduce(see the definition below) DLP(Inn(G)) to DLP(Inn(i7)), 
where is a maximal normal subgroup of G. 

Definition 2. Given ip, G Inn(G) with a secret key s(mod |v3|), if we can com- 
pute V'j for some f/' G Inn(i7), we say DLP(Inn(G)) can be w-redwced (weakly- 
reduced) to DLP(Inn(iJ)). In this case, note that we can recover s(mod|^|), 
provided DLP(Inn(iJ)) is not hard to solve. (Of course, jV'l may be 1 in the 
extreme case.) 

Although the theory of group extension(see, for example, [2, §15.1] or [13, 
§2.7]) is quite standard and well-known, we briefly sketch the proofs for some 
results of group extensions to prepare for our proof of Theorem 10. 

3.1 Group Extensions 

Definition 3. For given two groups H and F,\i H <G and G/H = F, then we 
call G a group extension of H by F. 

Theorem 4. (See [2, 13].) If G is a group extension of H by F, there exist func- 
tions T : F ^ Aut(i7) and f : F x F ^ H satisfying the following conditions : 

(1) T(r) o T(cr) = Inn(/(cr, r)) o r(crr), for a,r € F, 

(2) /(cr, rp) /(r, p) = f{oT, p) T{p){f{a, r)), for a,T,p£ F, 

( 3 ) /( 1 , 1 ) = 1 . 

Proof. Let t : F ^ G give rise to a bijection between F and a complete set of 
coset representatives of 77 in G such that t(l) = 1 (t is called a transversal). 
Next, we define two functions T : F — > Aut(i7) and f : F x F ^ H hy 
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(a) T{a){h) = t{a) ^ht(a), for a G F, h G H, 

(b) f{a,T)=t{aT)~^t{a)t{T), for a,T G F. 

Then, T and / satisfy the conditions (l)-(3). □ 

Remark 5. If T and / satisfy the conditions (l)-(3) of Theorem 4, then we 
call / a factor set belonging to T. If a factor set / is obtained from G as (a) and 
(b) in the proof of Theorem 4, then we call / a factor set associated with the 
extension G. 

Theorem 6. (See [2, 13].) Let f : F x F ^ F[ be a factor set belonging to 
T : F ^ Aut(iL). Then there exists a group G which is a group extension of IT 
by F such that f is a factor set associated with G. 

Proof. Put G = { t{a)a \ a G F, a G H} and define a binary operation * on G 

by 

[t(cr)a] * [t{T)b] = t{ar) f{a, r) T{T){a) b, (a, t G F, a,b G FI). 

Then, G becomes a group extension of FI by F. Moreover, t{a)l is actually 
a transversal and (T, /) satisfies the conditions (a) and (b) in the proof of 
Theorem 4. □ 

Corollary 7. (See [2, 13].) The group extension G is uniquely determined by T 
and f. In this case, we denote G = [H,F,T, f]. 

We note that semi-direct products are group extensions with the trivial factor 
sets. In [7,9], it is shown that DLP over inner automorphism groups of semi- 
direct products can be reduced to DLP over inner automorphism groups of 
individual groups. For group extensions, a similar result can be derived. 

Theorem 8. Assume the group extension data G = [H, F, T, f] is known. If F 
is non-abelian, then DLP(Inn(G)) can be w-reduced to DLP(Inn(F)). 

Proof. Let ip = Inn(g) and g = t{a)a, where a G F, a G H. For any x = t{T)b G 
G, we have 

if{x) = [(t(cr)a)"^] * [t{T)b] * [t{a)a] 

= [t{a~^)d] * [t(r)&] * [t{a)a], (where T{a){d) = f{a~^,a)~^a~^) 

= f{a~^ ,T)T{T){d) b] * [t{a)a] 

= f(cr" Vcr) f{a~^T, a) ■ T(ct)(/(ct"\ r) T(r)((i) 6) • a. 

Similarly there exists A G H such that p'^ix) = t{a~^ra^)A. Let F = Inn((r). 
Then, the problem of finding s from given p, p’^ G Inn(G) can be w-reduced to 
that of finding s from G Inn(F'). □ 

Theorem 8 implies that the smaller order cr G F/Z{F) has, the less infor- 
mation about s is exposed. Therefore, it is reasonable to take F to be abelian. 
The next theorem is useful when we investigate group extensions by finite cyclic 
groups. 
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Theorem 9. (See [2, § 15.3].) If G is a group extension of H by Z„, then G is 
uniquely determined by x ^ Aut(i?) and a G H satisfying the following condi- 
tions : 

(1) X” = Inn(a) G Inn(iJ), 

(2) x(a) = a- 

Proof. Write Z„ = {0, — !}• We choose a coset representative 1 of 1, 
and define a transversal t : Z„ ^ G by t{i) = 1 for 0 < i < n — 1. Then, 
1 = a for some a G H. Therefore x := Inn(l)|// G Aut(iJ). Then x and 

a satisfy conditions (1) and (2). Conversely, if x and a are given, we define 
T : Ijn Aut(-ff) and / : Z„ x Z„ —^Hhy 

(0 < z < n — 1) 

if i-G j < n, 
if i j > n. 

Then T and / satisfy the conditions (l)-(3) of Theorem 4. □ 



T{i) = X\ 
fihj) = 



3.2 MOR System and Group Extensions 

Let G be given by a group extension of H by F. The case, for which F is non- 
abelian, is not desirable since DLP(Inn(G)) can be w-reduced to DLP(Inn(F)) 
by Theorem 8. 

Furthermore, since every finite group has a composition series, we may regard 
G as a group extended by finite simple groups for finitely many times. Therefore, 
in this section, we analyze the case when A = Zp for some prime p. Now we have 
the main result of the present section. 

Theorem 10. If the group extension data G = [iL, Zp,T, /] is known, then 
DLP(Inn(G)) can be w-reduced to DLP(Inn(iJ)). 

Proof. Let G = [il, Zp,T, /]. Then, by Theorem 9, there exist x G Aut(iL) and 
a G H satisfying the following conditions : 



(0 <i<p), 

1 \i i + j <p, 
a if z + J > p, 
X^ = Inn(a) G Inn(iL). 




Now, we compute Z{G). If t{i)a G Z(G), then for all j G Zp and b G H, we 
have 

[t(z)a] * [t{j)b] = [t{j)b] * [t(z)a]. 

Therefore, 



+ j) j) (a) b = t{j + i) f{j, i) x"{b)a 
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and hence this implies x^{^) = « and b = a ^ x*(^) Note that this is equivalent 
to x(a) = a and x* = Inn(a“^). Hence we conclude that 

Z{G) = {t{i)a I x(a) = a, X* = Inn(a"^)}. 

Since x^ = Inn(a) G Inn(iL) and p is prime, we note that the order of x in 
Out(iJ) = Aut(iL)/Inn(iL) is 1 or p. 

Case 1. Ixl = 1. 

We prove this case by showing that there is a computable isomorphism be- 
tween GjZlG) and H/Z{H). If |x| = 1, then x = Inn(/i) for some h G H. 
Since x* = Inn(/i*) = Inn(a“^), there exists Zi G Z{H) such that /i* = a~^Zi 
(i.e., /i*a G Z{H)). Then h commutes with a and thus x(n) = Inn(/i)(a) = a. 
Therefore, 

Z{G) = {t{{)a I h^aGZ{H)} 

and we have 

\Z{G)\ > \Z{H)\. 

Next, we find an isomorphism between G/Z{G) and H/Z{H). Since x^ = 
Inn(/i^’) = Inn(a), we have a = hPz for some z G Z{H). We define W ■. G ^ 
H/Z{H) by _ 

'P{t{i)a) = h^a, {a G H, t G Zp). 

Then we can show the followings. 

1 . If' is a group homomorphism : 

lf([t(i)a] * [t{j)b]) = 'If {t{i + j) f{iG)x’{a) b) 
j (n) b = h'+i h~f ahf b = h^a hib, if i + j < p 

I h^+i-P hP z x^ {a)b = zh* a hi b = h'‘a h^b, if i + j > p 
= 'F{t{i)a)'F{t{j)b). 

2. 'P is surjective: For g G H/Z{H), where g G H, we have 

'P{t{i)h~^g) = h^h-^g = g. 

3. Ker <P = Z{G ) : t{i)a G Ker 44> h^a G Z{H) 44> t{i)a G Z{G). 

Hence, by the first isomorphism theorem, we have 

P : G/Z{G) ^ H/Z{H). 

Note that 'P is computable since h can be derived from x = Inn(/i). 

Case 2. |x| = P- 

If Ixl = P) * should be 0 in order that the equation x* = Inn(a“^) holds. 
Moreover, since x°(^) = b = aba~^ for all b G H, a must be contained in Z{H). 
Therefore, we have 

Z{G) = { t{0)a I x(a) = a, a G Z{H)} < Z{H). 
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For given Inn(t(i)a) and Inn ((t(f)a)^), under the assumption that the special 
conjugacy problem of G is easy, we can find t{j)c and t{l)d such that Inn(t(i)a) = 
Inn(t(j)c) and Inn ((t(f)a)^) = Inn(t(/)(i). Then we must have i = j (modp) and 
c = az for some z G Z{H) with x(z) = z. Similarly, we get is = /(modp). 
Consequently, we obtain s = r' (modp) and thus we may put s = pr + r' for 
some integer r. Since 



p-times 

{t{i)aY =[t(i)a] * [t{i)a] * • • • * [t{i)a] 

(p— l)-times 

= [t{i)a] * [t{i)a] * • • • * [t{i)a] * [t{2i) T{i){a) a] 

(p— 2)-times 

= [t{i)a] * • • • * [t(t)a] * [t{3i) f{i, 2i) T{2i){a) f{i, i) T{i){a) a] 

p-i 

= i(0) n /(b*j)r(tj)(a) 
i=o 

= t(0)<P, 



p-i 

where = n f{iYj)T{ij){a), we have 

j=o 



Inn ((t(i)a)*’) = lnn(t(0) d>) 



and 

Inn ((f(i)a)®) o Inn ^ = Inn ((t(i)a)^’’) = Inn (t(0) <?’’) . 

We may consider lnn(t(0) and lnn(t(0)^’’) \h as elements of Inn(i/), 

and we conclude that DLP(Inn(G)) is w-reduced to DLP(Inn(iJ)). □ 



Example 11. Let A be the graph automorphism of order 2 of SL„(< 7 )(see [12, 
§10]). The group extension G = [SL„(< 7 ), Z 2 , A, 1] belongs to Case 2. In this case, 
the order of Z{G) is the same as that of SL„(g). 

Example 12. A metacyclic group(for example, see [3, p. 99]) is a semi-direct 
product and belongs to Case 2. In this case, the order of the center of the group 
decreases. 

In Case 1, since we can find a computable isomorphism 

-.GlZiG) ^H/Z{H), 

we see that DLP(Inn(G)) can be completely reduced to DLP(Inn(iJ)) in this 



case. 
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Example 13. (See [8].) Let G = SL 2 (p) xg Zp, where 

9 = Inn o 01 : Zp ^ Aut(SL 2 (p)), 

and 01 is an isomorphism from Zp to (a), a € SL 2 (p). Then 

Z(G) = { t(i)a I h^a = ±1, a G SL 2 (p)}. 

Note that |.^(G)| > \Z{H) \ and hence this example belongs to Case 1. There- 
fore, we have 

G/Z{G) ^ SU{p)/Z{SU{p)) = FSUip). 



Remark 14. Moreover, all semi-direct products using inner automorphisms are 
of Case 1. This is the reason why the authors of [7, 9] search for outer automor- 
phisms. 

Remark 15. As in [8, 9], even when the message space is restricted to { t{0)h \ 
h € H}, a, similar reduction is possible and we omit the proof. 

Remark 16. Since we can only w-reduce DLP(Inn(G)) to DLP(Inn(iJ)), we 
may not succeed in recovering full information about the secret keys. However, 
we note that there are many choices of maximal normal subgroups H in G. Thus, 
we may conclude that the group extension data G = [H, Zp, T, f] should not be 
easily obtained in order to have a secure MOR system. This should be kept in 
mind when we search for suitable groups for MOR system. 



4 Central Commutator Attack 

As we have mentioned in Section 2, DLP(Inn(G)), which is the underlying prob- 
lem of MOR system, depends a lot on the center Z{G) of G. We are thus naturally 
led to consider the lower central series of G. Especially, we are interested in the 
nilpotent groups of which the length of lower central series are finite. 

In this section, we show that there is a reduction algorithm for MOR system 
on a nilpotent group. 

4.1 Central Commutator Attack 

As before, for g G G, we assume a public key (Inn(g), Inn(^®)) = {ip,(p‘^) is 
given. 

Lemma 17. Suppose we can find h,z G G such that z = (p{h~^)h = g~^h~^gh yf 
1 and p{z~^)z = g~^z~^gz = 1, then z^ can he computed from . 

Proof. Observe the following computation : 

p^{h-^)h = g-^h-^g^h = g-^{h~^ghY = = zL □ 
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Thus, if we can find such h and 2 and can solve DLP((z)) from z and z'*, 
we get s(mod |z|). To find such h and z, assume G is nilpotent and consider the 
lower central series of G ; 

G = G° > > • • • > G'^-i > G'^ = (1), 

where G* = [G, G*“^]. We have k > 2 because we are assuming G is non-abelian. 
Since G^“^ ^ Z{G) and G^“^ < Z{G), there exists h G G^~'^\Z{G). Letting 
z = g~^h~^gh G G^“^, z is contained in G^“^ < Z{G) and thus z commutes with 
g. This technique is called the central commutator attack, since z and z® G Z{G) 
are central commutators. 

However, when z is the identity of G, we do not get any information about 
s, and the condition z yf 1 is not guaranteed here. The next algorithm settles 
this problem and it can be applied to any nilpotent group. 

Lemma 18. Let G he a nilpotent group of nilpotency {k — 1) with k >2. Then 
the Algorithm- 1 below outputs z and z® with z yf I (and n in the Algorithm- 1 
satisfies n < k). 



Algorithm-1 


Input: 


ip — Inn(p) and ip® = Inn(gr®) such that 7 ^ 1. 


Step 1: 


Define a(x) := (p(x~^)x = g~^x~^gx and 
choose xo such that a(xo) A 1 - 


Step 2: 


For m G N, define Xm '■= o-(xm-i) and 

let n be the smallest integer such that Xn = 1- 


Step 3: 


Put h = Xn- 2 , z = x„-i and compute z® = (p“{h~^)h. 


Output: 


z and z® with z 1. 



Proof. For Inn((/) to be used for an encryption, there should exist xq which is not 
trivially encrypted, i.e., ip(xo) yf xq and g~^Xo gxo~^ yf 1. Since G is a nilpotent 
group of nilpotency (k — 1), we have the following lower central series of G ; 

G = G° > G^ > • • • > G'^-i >G^ = (1), 

where G* = [G, G*“^]. Define a and Xm as in the Algorithm- 1. We note that 
Xm G G™ for TO = 1, . . . , fc and thus Xk = 1. Therefore we see that n < k. Since 
n is the smallest integer such that a;„ = 1, we have z = x„_i yf 1. Now, if we 
put h = Xn- 2 , then h and z satisfy the conditions of Lemma 17 and thus we get 
= z®. □ 

Thus by solving DLP((z)), one can compute some partial information of the 
secret, i.e., s(mod |z|). Moreover, we will show that one can recover s completely, 
if DLP over prime order subgroups of G are easy. 

Let m = \g\ = Yli=iPT order of g in GfZ{G), where pi are distinct 

primes. Then the following algorithm is nothing but an application of the Pohlig- 
Hellman algorithm [10] to MOR system. 
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• Step A : For a fixed i, compute s(modp^) for j = 1, ... ,ei, inductively. 

• Step B : Compute s(modpi®‘) for each i = 1, . . . ,k. 

• Step C: Using the Chinese remainder theorem, compute s(modm). 



We note that only the Step A is essential here : Fix a prime factor p of m, 
and let e be the exponent of p in m. Let 

e-l 

s(modp®) = ^ Sjp’ , {0 < Sj < p — 1). 

j=o 



First, compute 

tp := (hm{g))^^P = lnn{g^/P) 

and 

% := (Inn(g"))™/P = lim{g^/Py = Inn(g™/P)"° = . 

Since g"^/P is not contained in Z{G), we have '0(7i~^)7i 1 for some i, where 

{ 7 i I z € /} is a given generating set of G. Applying the Algorithm-1 to ip and 
ipo, we get h, z and such that 

z = {g-'^/P)h-yg'^/P)h and {g-^^P)z-\g^^P)z = 1. 



Observe that \z\ = p. Solving DLP((z)), we obtain sq. Now, assume that we 
have obtained so> ■ • ■ ) si-i for some I < e. Next, we compute 

iPt :=(Inn(/) oInn(5)-^z=^zfo)Wp^+^ 

= Inn(5’^/P)"C 



Again applying the Algorithm-1 to ip and ipi, and solving DLP((z)), we obtain 
St. By induction we can compute s(modp®). In summary, we have the following 
result. 



Theorem 19. Let G he a finite nilpotent group. For given Inn(^) and Inn(g®), 
by solving DLP over prime order subgroups of G, one can recover s{mod\g\) 
completely. In other words, DLP(lnn(G)) can he completely reduced to DLP over 
prime order subgroups of G. 

We mention here that the central commutator attack is generic in the sense 
that the algorithm does not use particular property of representations of the 
group but uses only group operations and equality tests of group elements. 

Even when G is not nilpotent, the Algorithm- 1 can be applied. First, observe 
the following. 

Lemma 20. For x G G define Tx : G ^ G by 

Tx{y) = x~^y~'^xy, {yGG). 

Then G/ZiG) has nontrivial center if and only if there exists x G G\Z(G) such 
thatTx{G) C Z{G). 
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Proof. Elementary(see, for example, [1, p. 70]). 

When the center of GjZ{G) is non-trivial, there exists x G G such that 
[x,G\ C Z{G). Thus, given ip = Inn(g), we have Tx{g) = x~^<p{x) G Z{G) and 
Lp{x~^) X G Z{G). Now we see that Algorithm-1 works. Therefore, we might say 
that Algorithm- 1 is valid if G is ‘nearly’ nilpotent. 

When the center of GjZ{G) is trivial, G has the trivial upper central series 
and perhaps is secure against the central commutator attack. But we expect this 
kind of groups would be ‘similar’ to simple groups or semi-simple linear groups 
which are usually not suitable for MOR system. 



5 Conclusion 

The security of the MOR cryptosystem using a group G is based on the hardness 
of DLP(Inn(G)) and is related with the size of Z{G). In a generic sense, the 
complexity of DLP(Inn(G)) is about log |G| times larger than that of DLP(G), 
since Pohlig-Hellman or the baby-step giant-step algorithm can be applied to 
MOR system, provided the special conjugacy problem of G is easy. 

Since every finite group G has a composition series, we may regard G as a 
group extended by finite simple groups for finitely many times. This leads us to 
analyze a group extension G of by Zp for some prime p, and it is shown that 
DLP(Inn(G)) can be w-reduced to DLP(Inn(i7)). 

We note that there are many choices of maximal normal subgroups H in G. 
Thus, we may conclude that the group extension data G = [H,Zp,T, f] should 
not be easily obtained in order to have a secure MOR system. This should be 
kept in mind when we search for suitable groups for MOR system. 

We also analyzed MOR systems on finite nilpotent groups. If G is nilpo- 
tent, or Z{G/Z{G)) yf 1, using central commutator attacks, it is shown that 
DLP(Inn(G)) can be completely reduced to DLP(G). 

Finally, it should be noted again that MOR system and DTP highly depend 
on the representations (or presentations) of groups. 



References 

1. M. L. Curtis, Matrix groups, Springer- Verlag, New York, 1979. 

2. M. Hall, The theory of groups, The Macmillan company, 1959. 

3. T. Hungerford, Algebra, Springer- Verlag, 1974. 

4. U. Maurer, Towards the equivalence of breaking the Diffie-Hellman protocol and 
computing discrete logarithms, in Advances in Cryptology - Crypto 1994, Lecture 
Notes in Comput. Sci., 839, Springer- Verlag, New York, 1994, pp. 271-281. 

5. U. Maurer and S. Wolf, The Diffie-Hellman protocol, in Des. Codes Cryptography, 
19(2), 2000, pp. 147-171. 

6. U. Maurer and S. Wolf, Lower bounds on generic algorithms in groups, in Advances 
in Cryptology - Eurocrypt 1998, Lecture Notes in Comput. Sci., 1403, Springer- 
Verlag, New York, 1998, pp. 72-84. 




400 



I.-S. Lee et al. 



7. S. Paeng, On the security of cryptosystem using automorphism groups, in Inf. 
Process. Lett., 88(6), 2003, pp. 293-298. 

8. S. Paeng, K. Ha, J. Kim, S. Ghee and C. Park, New public key cryptosystem using 
finite nonabelian groups, in Advances in Cryptology - Crypto 2001, Lecture Notes 
in Comput. Sci., 2139, pp. 470-485. 

9. S. Paeng, D. Kwon, K. Ha and J. Kim, Improved public key cryptosystem 
using finite nonabelian groups. Cryptology ePrint Archive, Report 2001/066, 
http: //eprint . iacr . org/2001/066/ . 

10. S. Pohlig and M. Heilman, An improved algorithm for computing logarithms over 
GF(p) and its cryptographic significance, IEEE Trans. Inform. Theory, 24, 1978, 

pp. 106-110. 

11. V. Shoup, Lower bounds for discrete logarithms and related problems, in Advances 
in Cryptology - Eurocrypt 1995, Lecture Notes in Comput. Sci., 1233, Springer- 
Verlag, New York, 1997, pp. 256-266. 

12. R. Steinberg, Lectures on Chevalley groups, Yale University, 1967. 

13. M. Suzuki, Group theory I, Springer- Verlag, 1977. 

14. C. Tobias, Security analysis of the MOR cryptosystem, in Proceedings of PKC 
2003, Lecture Notes in Comput. Sci., 2567, Springer- Verlag, 2003, pp. 175-186. 




Cryptanalyzing the Polynomial-Reconstruction 
Based Public-Key System Under Optimal 
Parameter Choice 



Aggelos Kiayias^ and Moti Yung^ 

^ Department of Computer Science and Engineering, 
University of Connecticut, Storrs, CT, USA 
aggelosScse . uconn . edu 
^ Department of Computer Science, 
Columbia University, New York, NY, USA 
motiScs . columbia.edu 



Abstract. Recently, Augot and Finiasz presented a coding theoretic 
public key cryptosystem that suggests a new approach for designing such 
systems based on the Polynomial Reconstruction Problem. Their cryp- 
tosystem is an instantiation of this approach under a specific choice of 
parameters which, given the state of the art of coding theory, we show 
in this work to be sub-optimal. Coron showed how to attack the Augot 
and Finiasz cryptosystem. A question left open is whether the general 
approach suggested by the cryptosystem works or not. In this work, we 
show that the general approach (rather than only the instantiation) is 
broken as well. Our attack employs the recent powerful list-decoding 
mechanisms. 



1 Introduction 

Recently, in Eurocrypt 2003 [AF03], Augot and Finiasz presented a public-key 
cryptosystem that was based on the Polynomial Reconstruction problem (PR). 
This scheme suggests a general approach for designing such cryptosystems; their 
cryptosystem is an instantiation of this approach based on a specific choice of 
parameters. 

Let us first review PR, which is a curve-fitting problem that has been studied 
extensively especially in the coding theoretic setting, where it corresponds to the 
Decoding Problem of Reed-Solomon Codes. 

Definition 1 (Polynomial Reconstruction (PR)). Given a set of points 
over a finite field {{zi,yi)}f^i, and parameters [n,k,w], recover all polynomials 
p of degree less than k such that p{zi) yf yi for at most w distinct indexes 
i G {l,...,n}. 

Regarding the solvability of PR, we remark that unique solution can only 
be guaranteed when w < (the error-correction bound of Reed-Solomon 
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Codes). For such parameter choices, the Berlekamp- Welch Algorithm [BW86] 
can be used to recover the solution in polynomial-time. When the number of 
errors w exceeds this bound, unique solution is not necessarily guaranteed. In 
this range, a decoding algorithm may output a list of polynomials that satisfy the 
constraints. This is called list-decoding and recently some breakthrough results 
have been achieved in this field. The most powerful list-decoding algorithm is the 
one by Guruswami and Sudan, [GS98]. The algorithm will work for any number 
of errors such that w < n — \/{k — l)n. For choice of parameters beyond the 
Guruswami-Sudan solvability bound, no known efficient algorithm exists that 
solves PR (and [GS98] gives some indication why such an algorithm is not likely 
to be found). 



public-key: 



Hard PR 
Instance 



secret-key: 
the error locations 



ENCRYPTION 



DECRYPTION 



random coefficient 





Fig. 1. The Augot and Finiasz general approach for designing a pk-cryptosystem using 
the hardness of RS decoding 



Augot and Finiasz’s general approach (see figure 1) is to use a PR instance 
which is hard to solve (i.e., a highly noisy instance) as a public key, and to en- 
crypt a message by scaling the given public key (i.e., multiplying the polynomial 
values by a scalar) and adding to the scaled instance the message which is repre- 
sented as a slightly lower degree second PR instance which is solvable, yielding 
a PR instance representing the ciphertext. The receiver who knows the noise 
locations in the public key can recover the message. The approach allows key 
sizes that are much smaller than the traditional coding theoretic based public- 
key systems (i.e., the McEliece cryptosystem [McE78]). Further, direct use of the 
above mentioned decoding and list-decoding methods do not apply to breaking 
the cryptosystem (directly) . To implement the approach of figure 1 one needs to 
specify: (i) the structure of the public-key, (ii) the structure of the error-vector, 
and in accordance (iii) the decoding method employed in decryption. 

What we noticed is that while the public-key structure was chosen to be 
an unsolvable PR instance, the choice of the error-vector and the associated 
decoding method was sub-optimal considering the state-of-the-art of Goding 
Theory. The scheme was in fact, based on unique decoding (and not list decoding 



Cryptanalyzing the PR-Based PK System Under Optimal Parameter Choice 403 



techniques) and did not consider probabilistic analysis to maximize the allowed 
entropy of the error-vector. 

The scheme of [AF03] was recently broken by Coron [Cor03a, Cor03c] (with- 
out affecting the solvability of PR) . The elegant attack presented in [Cor03c] is in 
fact a ciphertext-only attack that is built on the Berlekamp- Welch method and 
recovers the message, given knowledge only of the public-key and a ciphertext. 
A further modification of the scheme, using extension fields but essentially the 
same system, was suggested recently [AFL03] and was shown by Coron [Cor03b] 
to be vulnerable to essentially the same attack. 

Coding Theoretic Motivation. The Augot-Finiasz cryptosystem employed 
unique decoding techniques rather than list-decoding techniques (assuming that 
unique decoding is what is needed for a correct cryptosystem — an assumption 
we refute herein). Moreover, they consider only worst-case analysis in the se- 
lection of the code parameters. Thus, their cryptosystem is sub-optimal in the 
above respects given the general approach outlined above. 

This leaves open the question of whether this general approach works in 
principle, i.e., when one uses the optimal coding theoretic techniques and prob- 
abilistic analysis for the parameter selection. 

Our Results: In this work we investigate the above question. In particular, 
we maximize the rate of the error vector used during encryption and choose 
state-of-the-art list-decoding techniques to implement the Reed-Solomon de- 
coding step for decryption. Regarding the optimization (maximization) of the 
error-rate we make two key observations (1) the system of [AF03] employs a 
worst-case approach in selecting this parameter; a probabilistic approach (that 
we perform in this work) allows higher values. (2) the system of [AF03] employs 
Berlekamp- Welch RS-decoding for the decryption operation. We emphasize that 
more powerful decoding techniques can be employed that allow larger values for 
the error-rate parameter. Our methodology is to use an extended set of tools 
both for design and analysis in order to get the best possible instantiations of 
the general approach. The tools include “list decoding” rather than unique de- 
coding techniques (which we show to be still good for decryption, since decoding 
to a unique value is assured with extremely high probability over a large enough 
field, even when ambiguous decoding is allowed, cf. Lemma 1). 

We develop our presentation as a ping-pong game between a cryptosystems 
designer and a cryptanalyst. To avoid any misunderstanding our goal is not to 
design a new cryptosystem, but rather using the design and cryptanalysis steps 
as a methodology for exploring the general approach. 

First Step. Regarding our key-observation (1) we employ the tails of the hyper- 
geometric distribution to show that the original scheme allowed too few errors in 
the error-vector to be used by the message encryption process. Thus the error- 
rate can be increased high enough to aid the designer to achieve instances of 
the cryptosystem where Coron’s analysis does not work. But, nevertheless we 
provide an alternative probabilistic analysis showing that the original attack of 
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Coron would work almost always even in this modified (more noisy) version, 
thus aiding the cryptanalyst. 

Second Step. Combining our key-observations (1) and (2) above, we discover 
the optimal setting for the sender error-parameter ( “optimal” under the assump- 
tion that the Guruswami-Sudan list-decoding algorithm [GS98] represents the 
best possible decoding algorithm against Polynomial Reconstruction). We show 
that the optimal parameter setting, helps the designer and in this case Coron’s 
attack fails. To answer our question about the limit of the approach, we then 
present a new attack that is based on the Sudan and Guruswami-Sudan algo- 
rithms [Sud97, GS98] . Our attack, with overwhelming probability, breaks even 
the optimal parameter setting. This means that the general approach, outlined 
in figure 1, taken by Augot and Finiasz (rather than merely their non-optimal 
instantiation) breaks. 

We believe that our results demonstrate how design and analysis of Cod- 
ing theory based cryptography, must employ probabilistic methods and state of 
the art decoding techniques. Furthermore, our results and the attack of Coron 
demonstrate that PR-based cryptosystems that lack formal proofs of security 
by concrete reduction arguments, even when they seem to be related to PR, 
are potentially susceptible to coding theoretic attacks that do not imply any 
weakness in the PR problem itself. Note that, the private-key cryptosystem 
based on PR suggested by the authors in [KY02] was shown to be semanti- 
cally secure under an intractability decisional assumption that bears upon the 
average-case PR (for choices of the parameters beyond the Guruswami-Sudan 
solvability bound). This cryptosystem (as well as the other cryptographic prim- 
itives in [KY02]) are not affected by the techniques of the present paper and of 
Coron’s [CorOSa, CorOSb, CorOSc] and breaking these designs seems to require 
significant advances in RS decodability. 

Due to space constraints proofs are omitted from the present abstract; the 
full- version with all details is available in [KY04]. 



2 Background: The Recent Polynomial-Based 
Public-Key Cryptosystem 

We review the recent developments, while setting up the necessary notations 
and interesting points regarding our investigation. 

2.1 The Cryptosystem of [AF03] 

The cryptosystem of [AF03] can be described in high level as follows: 

1. The public-key is a PR-instance of parameters [n, fc -I- 1, W] for which (i) the 
hidden polynomial p is monic; (ii) solving the instance is considered hard. 
The public-key is a sequence of values in (F x F)” (while the locations of 
the error points is the secret key). 
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2. Encryption operates by first transposing (i.e., scaling the polynomial of) 
the public-key using a random value a G IF (the encryption coefficient), and 
then adding to the transposed public-key the message (evaluated as a second 
polynomial represented as pairs of points using the same first coordinates as 
the points of the public key PR instance, with no errors), and finally adding 
some additional w errors. (In other words, the message is embedded in a 
second PR instance with w errors and added to the transposed public key). 
It follows that a ciphertext is a sequence of values in (F x F)". 

3. Decryption removes the points that correspond to public-key errors, i.e., W 
points of the ciphertext. Decryption relies on the following two facts: (i) the 
remaining n — W points can be decoded into a polynomial p*; (ii) due to 
the fact that the message polynomial is selected to be of degree less than the 
degree of the monic polynomial p hidden in the public-key, it follows that 
the recovery of p* implies the recovery of the encryption coefficient a. The 
message polynomial can be recovered as Pmsg{x) = p*{x) — ap{x). 

We note that the points over which the polynomials are evaluated in a PR 
instance can be publicly known (thus the public-key and the ciphertext can be 
considered to be of size only |F|"). 

In more detail, let Zi, . . . , G F be arbitrary distinct elements of the under- 
lying field, where n G IN is a security parameter. The public-key of the system 
is a PR-instance that is generated as follows: first a random tuple (Ei, . . . , E„) 
is selected that has exactly W non-zero randomly selected elements from F. 
Second, a random polynomial p of degree less than k is selected. The public-key 
is set to pk := {{zi, j/i)}(bi where pi = p{zi) + Ei + zf for i = 1, , n. 

Remark. Observe that {{zi,yi — is a random PR-instance with param- 

eters n, k, W. 

The encryption operation is defined with domain F^ and general range the 
set (F X F)". The message msg is encoded as a polynomial of degree less than 
k, denoted by Pmsg(x); a random tuple (ei,...,e„) is selected so that it has 
exactly w non-zero randomly selected field elements; a random element a G F 
is selected as well. The ciphertext that corresponds to msg is the sequence of 
pairs {(zi, 2/')}”=! defined as follows y[ = ayt + Pmsg{.Zi) -I- e*, for z = 1, . . . , n. 

So far, the above represents a general approach. The exact choice of param- 
eters (as a function of n, say) gives the specific system of [AF03]. 

The decryption operates as follows: let I C {!,..., n} be such that |/| = 
n — W and for all z G / it holds that Ei = 0 (from the selection of the public- 
key). Observe now that the sequence of pairs C = {{zi,y'j)}i(=i can be seen as a 
PR-instance with parameters [n — W,k + l^w\. Now suppose that, 

\ 

Condition #1 : w < ^ ^ n>2w + W + k+\ 

This condition implies that the PR-instance has a unique solution that can 
be recovered by the unique decoding technique of Berlekamp- Welch algorithm. 
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Given such solution p* (x) it follows that the leading coefficient of p* will be equal 
to a (by construction, we have that the polynomial hidden into the public-key 
is monic and of degree k while the degree of the message polynomial is at most 
k — 1). Then, the transmitted message can be recovered as follows Pmsg{x) = 
p*{x) — a{x^ +p{x)). 

A second condition is that W should be large, beyond the known bounds of 
list-decoding, to assure that a third party cannot simply get the error locations 
of the public key (and thus decrypt all ciphertexts). This condition is the base 
of the presumed security of the scheme. 

2.2 A Cryptanalytic Framework 

The Cryptanalytic problem that is the basic building block for mounting a 
ciphertext-only attack on the Public-Key Cryptosystem of [AF03] as described 
above is defined as follows: 

Definition 2 Ciphertext-Only Attack Problem (CAP). Given two 
sequences of tuples Xi := {(zi, o,nd X 2 := {(^o2/()}r=i parameters 

n, k, w, W that satisfy the following conditions 

i. w< andW>n- ^n{k-l). 

a. {{zi, yi — )}’Yi is a random PR-instance with parameters [n, k, W] . 

Hi. 3a G F such that {{zi, y'i—oiyi)}')^^ is a random PR-instance with parameters 
[n, k, m]. 

Goal. Find a list of values of polynomial-length that contains the value a. 

Any algorithm that solves CAP in polynomial-time can be turned into a 
ciphertext-only attack against the cryptosystem of [AF03], as the following 
proposition reveals. 

Proposition 1. Let A be an algorithm that solves CAP in polynomial- time. 
Then any message encrypted in the cryptosystem of [AF03] can be decrypted 
without knowledge of the secret-key in polynomial-time in the security parameter. 

2.3 Coron’s Attack 

In [Cor03c] , Coron presented an elegant ciphertext-only attack against the cryp- 
tosystem of [AF03]. We explain the attack briefly below and we show that in 
fact it can be seen as an algorithm to solve CAP (in fact our formulation of CAP 
above is motivated by the original attack and by further extensions of this idea 
in the sequel). 

Let Xi,X 2 be an instance of CAP, with Xi = {{zi, yi)}f^i X 2 = {{zi, 
and parameters fc, w, IF, n. Due to condition Hi of definition 2 it follows that there 
exist p G F[a;] of degree less than k and a G F, so that p{zi) ^ y[ — ayi for at 
most w indexes i. 

The attack modifies the Berlekamp- Welch algorithm: Let E{x) be a monic 
polynomial of degree w such that E{zi) = 0 for exactly those indexes i for which 
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p{zi) ^ y'i — ceyi. The existence of this polynomial is guaranteed due to the 
condition Hi of definition 2. Let N{x) = p{x)E{x) be a polynomial of degree less 
than k + w. 

Now consider the following system of equations 



E{zi){y- 



1 n 



Xyi) = N{zi) 



(system 1 ) 



that has as unknowns the 2w + k coefficients of the polynomials if, N . Observe 
that the above system (with A as a parameter) is not homogeneous (due to the 
fact that E is monic). Recall that all steps up to this point follow exactly the 
Berlekamp- Welch algorithm (modulo the unknown A value). 

Now consider the slightly extended system below: 



E'{zi){y[ - Xyi) = N{zi) 



(system 2 ) 



where E' {x) is a non-monic polynomial that has the same properties as E (i.e. 
E' and E have the same roots). It follows that system 2 defined above is homo- 
geneous with 2w -I- A: -I- 1 unknowns. Let A 2 [X] be the n x {2w -I- fc -I- l)-matrix of 
system 2 . 

Due to condition i of definition 2 the number of equations n satisfies 



n >2w + k + l 



and thus system 2 has at least as many equations as unknowns. 

Case 1 of the Attack. rank(xl 2 [ 0 ]) = 2w + k + 1 (i.e., ^ 2 ) 0 ] is of full rank). It 
follows that there are 2w -I- A: -I- 1 linearly independent equations in system 2 
for A = 0 (and their locations can be recovered e.g. by Gaussian elimination). 
Without loss of generality let us assume that these are the equations on locations 
1, . . . , 2w -|- A: -|- 1. We eliminate the remaining n — (2w -I- A: -I- 1) equations from 
system 2, to make it a square homogeneous system, and we call the remaining 
equations system 3. 

It follows that if we substitute the value a for A in the matrix of the system 
3, the matrix is singular since it accepts a solution (the polynomials E' , N) that 
is non-trivial. As a result the matrix of system 3, denoted by A 3 [A], has the 
following property: 



3a e IF : det(A 3 [a]) = 0 

Now observe that the determinant of system 3 is a polynomial /(A) := 
det(A 3 [A]) that is of degree at most ru -I- 1 (because A is only involved in the 
part of the matrix of system 3 that corresponds to the polynomial E'). 

Further observe that /(O) = det(A 3 [ 0 ]) yf 0 because of our selection of A 3 [A] 
to have the property that ^ 3 ( 0 ] is the full rank minor of the matrix ^ 2 ) 0 ]. Thus, 
the value a is among the w -I- 1 roots of / and the output will be the list of roots 
of /. It follows that the above algorithm gives an efficient solution for the CAP 
problem. 
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Case 2 of the Attack. rank(A2[0]) < 2w + k + 1. In this case one can find a 
non-trivial solution of the system A 2 [0] which defines two non-zero polynomials 
E ' , N such that 

[E'{zM = N{zi)]U 

Since y[ = a{p{zi) + z^ + Ei) + Pmsgi.Zi) + Ci it follows that 

[E' {Zi){a{p{Zi) + zf -|- Ei) + Pmsg{zi) + Ci) = N{zi)]^^i 

Let I be the subset of {1, . . . ,n} for which it holds that i G I 4=^ (e^ = 
0) A = 0). It follows that 

[E' {zi)p* {zi) = N{zi)]^ei 

where p*{x) = a(p(x) + x^) +Pmsg{x). Recall that the degree of the polynomial 
N is less than k+w and E' is a polynomial of degree w, it follows that E'{x)p*{x) 
is a polynomial of degree w + k. 

Observe that |/| is a random variable (denoted by ij) ranging from n — w — W 
to n — max{rt;, W}. Next consider this relation: 

r] > w + k (Sufficient Condition for Case 2) 

Under the above relation, it follows that |/| > w + k + 1 and as a result 
the polynomials E'{x)p*{x) and N{x) are equal. It follows immediately that 
p* = naturally given p* we recover a immediately and non-ambiguously (in 
fact, in this case we will even be able to recover the value of the secret-key). 

Performing a worst-case analysis of the above, we know that rj > n — w — W 
and as a result the attack would go through as long as n—w—W > w+k 4=^ n > 
2w+W +k something that matches condition #1 of the [AF03]-cryptosystem (cf. 
section 2.1) and thus the case 2 of the attack can be carried for the parameters of 
the cryptosystem (without even taking into account that rj would be somewhat 
larger than its lower bound n — w — W). 

On the other hand, it would be of interest to us to find a necessary condition 
for case 2 of the attack (the reason for this will become clear in section 3). This 
can be found by setting rj to its highest possible value and requiring this to be 
greater than w + k: rj := n — max{t(;, W} > w + k; this is equivalent to: 

n > w + max{w, W} + k (Necessary condition for Case 2) 



3 The Increased Error Case 

The cryptosystem of [AF03] mandates that the number of errors introduced 
by the sender in the formation of the ciphertext is less or equal to 
(condition of section 2.1), to ensure unique decoding in the reduced PR- 
instance that is obtained after removing the W locations that contain the errors 
of the Public-Key. 
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We observe that the bound on w is unreasonably low, for the following rea- 
son: many of the errors introduced by the sender will fall into the error-area of 
the public-key, and thus they will not affect the decryption operation (i.e., intro- 
ducing a new error in an already erroneous location is a case where 1-1-1 = 1). 

To see this better, we can think of the sender in the cryptosystem to be 
playing the following game: he selects w points out of n and randomizes them. 
Since W of these points will be discarded by the receiver it follows that the 
number of the good points (out of the total n — W of good points) that will 
be randomized by the sender follow a hypergeometric distribution with mean 
value It follows that the expected number of good points that will be 

randomized by the sender are . 

In order to ensure decoding for the decryption operation it suffices to force 
e < where e is a random variable that follows the hypergeometric 

distribution with mean Let w = ^-w n-w-k-i ^ some e > 0. Using 

the Chvatal bound for the hypergeometric distribution, [Chv79], we have that 



Prob[e > ( 



n-W 



n 



e)'u;] < 



Probfe > 



-W-k-1 



]< 



From the above, as long as e < lU/n, if we set w = — n w^k i follows 

that the probability Prob[e > and thus condition # 1 of 

section 2.1 will be satisfied in the probabilistic sense and decryption will succeed 
with probability 1 — ™. 

We will concentrate on parameters s.t. W > w and w is selected as above. 
Consider for example the assignment n = 2000, k = 100, W > 1556 (to avoid 
an attack with [GS98] on the public-key), e.g. we set W = 1600, and e = 1/6; 
now observe that W/n = 0.8 > 1/6. The equation for w mentioned above yields 
w = 407. It follows that the probability of correct decryption is 1 — = 

1 — « 1 — 2“^^. Observe now that case 2 of Coron’s attack would be foiled 

since the necessary condition fails: 



n> w + maxim, lU} -I- k 4=^ 2000 > 1600 -I- 407 -I- 100 



false 



Thus, by merely increasing the number of errors that the sender of the cryp- 
tosystem introduces during encryption (relying on randomization to allow de- 
cryption with very high probability) , we are capable of thwarting the analysis of 
Coron’s attack (in particular the analysis of case 2 of the attack). Observe that 
this is possible without any other modification of the cryptosystem whatsoever. 

Nevertheless, this is only a temporary comfort as we will prove in the next 
section. 



4 With High Probability Modified Coron’s Attack 
Succeeds Against Increased Errors 

Next, we use another probabilistic analytical tool to show that, in fact, in spite 
of the increased errors, the attack actually works with high probability. 
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First, observe the error-increase we introduced in section 3 does not apply to 
case 1 of Coron’s attack. Indeed, one can show for any e > 0 that 



n — W — k — 1 n — k — 1 

< 

: 2 - 2 



and the condition w < (n— fc— l)/2is sufficient for case 1 to go through (that 
is, if we can apply it). Recall that case 1 of the attack only applies to the case 
det(A3[0]) yf 0. 

We will show that this in fact happens most of the times (a fact observed in 
practice in [Cor03c] but not proved). This means that the attack works even in 
the increased error setting of the previous section. Let us recall the matrix of 
system 2, as defined in section 2.3. 

A2[\] = {B2C2[\]) = 



Iz,... y[ - Ayr {y[ - \y,)z, . . . (y( 

1 Z2 ... Z2^'" ^ y'2 - Xy 2 {y'2 - Xy2)Z2 ... {y'2 

1 z„ ... y'„ - Ay„ (y'„ - Xy„)z„ . . . (y'„ 



Xyi)zr 

Xy2)z2 

Xyn)z'^ 



where B 2 is a Vandermonde matrix of dimension w + k over the elements 
Z\,. . . , Zn] B 2 corresponds to the coefficients of N{x)] C 2 [A] is a Vandermonde 
matrix of dimension m -|- 1 over the elements zi, . . . , z„ where its i-th row is 
multiplied by y[ — Xyi, for i = l,...,n; C 2 corresponds to the coefficients of 
E'{x). Recall that A 2 [X] is a n x {2w -I- fc -I- 1) matrix. We would like to prove 
that rank(A 2 [ 0 ]) = 2w -I- A: -I- 1 with overwhelming probability. 

If rank(A2[0]) < 2w -I- fc -I- 1 then it follows that any (2w -I- fc -|- l)-minor of 
A2[0] is singular. Below we show that this event can only happen with very small 
probability (assuming that the underlying finite field IF is large — something 
that is assumed in [AF03]) thus we deduce that the first case of the attack would 
work almost always. 

Theorem 1. Let P = Prob[rank(A2[0]) < 2w -I- A: -I- 1] be the probability that 
the rank of A 2 [ 0 ] is less than 2w -I- A: -I- 1 where the probability is taken over all 
possible choices for the given CAP instance out of which we construct A 2 [A]. 
It holds that P < 2ru/|IF| and the proof works even if the first inequality of 
condition i of definition ^ is relaxed to only w < (ji — k — l)/2. 



5 The Most General AF System Avoids Coron’s Attack 

5.1 An “Optimal Variant” of the Cryptosystem 

In this section we show that the number of errors w introduced by the sender 
can, in fact, be increased further beyond the improved bound that we describe 
in section 3, by employing the proper decoding method for decryption (cf. figure 
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1). In particular, we make the following crucial observation: [AF03] requires 
that w is below the error-correction bound of Reed-Solomon Codes, so that the 
decryption (decoding) is unique. Nevertheless the introduction of random errors 
in a large enough finite field (such fields are utilized in [AF03]) suggests that 
uniqueness of decoding can be ensured far beyond the error-correction bound. 

In the lemma below we show that randomly selected PR instances that can 
accept two different decodings are unlikely. This probabilistic analysis allow us 
to resort to modern list-decoding techniques in the sequel. 

Lemma 1. Let {(.Zi, J/i)}(Li be a RS-Code codeword of a random message p € 
F[x] with degree(p) < k that has e errors uniformly random distributed overW, 
s.t. e < n — k. Then, the probability that it accepts another decoding p' € F[x] 
with p p' is at most (") /(|F|"“®“*) (the probability is taken over all possible 
messages and noise corruptions). 

Now observe that if the “message rate” is k := k/n and the “error-rate” is 
e := e/n, with k, e C then it follows that the probability in lemma 1 is less 
than . As a result, provided that F satisfies > 4 it follows 

that the probability of proposition 1 is “negligible.” 

Optimal Parameter Setting and Modifications for the Cryptosystem 
of [AF03]. Taking advantage of the above Lemma in conjunction with the 
observation of section 3, we can increase the error-parameter w further. We refer 
to our choice as optimal with respect to figure 1 under the basic assumption 
that the list-decoding algorithm of [GS98] represents the state of the art in RS- 
decodability. 

Below we assume that the sender employs the algorithm of [GS98] for decryp- 
tion. For this algorithm to work it should hold that e < (n — W) — \/{n — W)k 
where e is the number of errors introduced in the area of good points of the 
public-key due to the encryption operation. As argued in section 3, e is a ran- 
dom variable following a hypergeometric distribution with mean . In our 

analysis below we will simply substitute e for the expected number of errors. 
Note that this does not guarantee that the receiver will be capable of recovering 
the transmitted message “most of the times.” To guarantee this we would have 
to show that the probability Prob[e < (n — W) — \/{n — W)k] is overwhelming 
(as we did in section 3), something that cannot simply be inferred from the fact 
that the mean of e is less than (n — W) — \/{n — W)k] in order for the receiver 
to be able to decrypt most of the times we would instead require that the mean 
of e is sufficiently lower than the bound (n — W) — \/{n — W)k and then employ 
the Ghvatal bound on the tails of the hypergeometric distribution to bound the 
error probability by a negligible fraction, [Ghv79] (as in section 3). 

Nevertheless, since we intend to cryptanalyze the resulting cryptosystem, we 
will opt for simply substituting e for its mean, as this would only make our 
attack stronger. On the other hand observe that a public-key cryptosystem that 
works, say, half the times is still quite useful. Thus, substituting e for we 

obtain 
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n-W 



n 



< {n— W) — \/{n — W)k w < n — rnj 



k 



We conclude that the optimal selection would allow the parameter w to be 
selected as high as: 



w <n{l- J — 

\ n-W 

The new bound above increases the number of errors that we can allow the 
sender to introduce, as long as W is selected appropriately: 

Proposition 2. There are choices for W such that W > n — \/n{k — 1) and 
~ n-w '^ ^ long as k > 5 and k/n < 1/16. 

Now recall that the necessary condition for Coron’s attack (both cases) is 
w < ■ It follows from the proposition above that our analysis puts the 

parameter w beyond the range of Coron’s attack, provided that W is properly 
selected. To illustrate this concretely, suppose that n = 2500 and k = 101. 
Then, W should be selected in the range [2000, . . . , 2126]; if we make the choice 
W = 2063 then we can set w to be as high as 1298, whereas Coron’s attack 
would correct any value of w only up to 1199. Note that the gap of 99 elements 
between the bound of Coron’s attack and the assignment w = 1298 ensures 
that the application of the attack by removing 99 points at random would only 
succeed with probability less than (0.52)®® « 2“®® (since the ratio of the sender- 
introduced error points is « 0.52). 

Corollary 1. Coron’s attack cannot he applied against the [AF03]-cryptosystem 
in the optimal parameter setting. 

To draw a parallel to our exposition in section 2.2, we introduce the problem 
CAP -I- to stand for the ciphertext-only attack problem of the optimal variant of 
Augot and Finiasz Cryptosystem, (the only difference from CAP being in the 
choice of m): 

Definition 3 Ciphertext-Only Attack Problem in the Optimal 
Parameter Setting (CAP+). Given two sequences of tuples Xi := {(^i, 
and X 2 := {(zi, and parameters k,w,W that satisfy the following condi- 

tions 

i. w < n(l — ), and W > n — ^Jn{k — 1). 

a. {{zi, yi — is a random PR-instance with parameters [n, k, W] . 

Hi. 3a G F such that {(zj, Q:yi)}iLi is a random PR-instance with parameters 
[n, k, w]. 

Goal. Find a list of values of polynomial-length that contains the value a. 
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As before we show that any algorithm that solves CAP-1- can be used to 
mount a ciphertext-only attack on the cryptosystem of [AF03] (but now in the 
optimal parameter setting): 

Proposition 3. Let A be an algorithm that solves CAP+ in polynomial- time. 
Then any message encrypted in the cryptosystem of [AF03] in the optimal param- 
eter setting can he decrypted without knowledge of the secret-key in polynomial- 
time in the security parameter. 

In the Lemma below we give an upper bound on the value of w (that is 
independent oiW). 

Lemma 2. For any CAP-h instance, it holds that n — w > f/n^{k — 1). 



6 The Attack Against the General System Employing 
List-Decoding 

The results we present in this section (essentially an algorithm for solving CAP-f ) 
is based on Sudan’s list-decoding algorithm, [Sud97] and Guruswami Sudan 
[GS98] algorithms (for both there are efficient polynomial-time algorithms, see 
[McE03]). 

6.1 The Attack 

Let n,k,w,W G Z and Xi = {{zi,yi)}f^i, X 2 = {{zi,y'f)}'!f^i be an instance of 
CAP-h. We denote iji := y' — Xyi for i = 1, . . . ,n, where A is an unspecified 
parameter (free variable); to set the parameter A to a specific value a we will 
write yt[a]. 

According to the definition of a CAP-h instance we know that there exists 
a value a G IF (the “encryption coefficient”) and a polynomial p G lF[a;] of 
degree less than k (the “message polynomial” ) that agrees with n — w of the 
points {zi, yi[a\). Define I := n — w — 1. Next we consider the following system of 
equations on a set of unknowns {lji,j 2 }ji>o,j 2 >o,ji-i-(k-i)j 2 <i (called system 4): 

Vi G {1, . . . ,n} = 0 (system 4) 

jl>0,j2>0,jl-\-(k-l)j2<l 

Observe that any solution to system 4 above defines a bivariate polynomial 
Q{x,y) that satisfies the property degreeg ,,, -h (fc — l)degreeg < 1. 

Lemma 3. The number of unknowns of system 4, is at least ■ 

Recall that from proposition 2 we know that we only consider parameter 
choices that satisfy k/n < 1/16. For such range of parameters (and sufficiently 
large n) we, in fact, show: 

Lemma 4. System 4 is not overdefined provided that n > 19 and k/n < 1/9. 
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Subsequently we omit the appropriate number of unknowns from system 4, 
to equalize the number of unknowns and equations. This results in a square 
homogeneous system of n equations and unknowns that we call system 5. We 
denote the matrix of system 5 by A [A]. 

Theorem 2. Let a G TF be the “encryption coefficient” for a CAP+ instance 
as defined in item Hi of definition 3. The matrix A[a] as constructed above is 
singular. 

Since A[a] is singular, it follows that if we define the polynomial /(A) := 
Det(A[A]), a will be among the solutions of /(A). Thus we can solve CAP+ by 
computing all the (polynomialy many, by degree constraint) roots of /(A). 

Theorem 3. The probability P that the polynomial /(A) = Det(A[A]) is the 
zero-polynomial satisfies P < 2s(n — /)/|IF|, where s = (the maximum 

degree of the y-variable in any of the columns of A[X\). 

7 Summary 

In this section, we summarize our cryptanalytic results. 



Given an instance of CAP+ {(zi, {{zi, with parameters n, k, w, W. 

0. Set I := n — w — 1. 

1. Select D C IN X IN so that \D\ = n and for all (ji, J 2 ) £ D, ji + (fc — l)j 2 < I 

2. Let D = ^0'i[l],i2[l]), . . . , (iiM, j 2 [n])^, a lexicographic ordering of D. 

3. Construct a (n x n)-matrix A so that its (i,i')-entry equals zf'-^'' \y'i — ' 

4. Compute /(A) := det(A[A]) symbolically to obtain the polynomial / on A. 

5. Output all roots of /. 



Fig. 2. The algorithm that solves CAP+ 



First in figure 2 we overview the CAP+ algorithm that was presented in 
the previous section. Using this, the general cryptosystem based on Augot and 
Finiasz [AF03], even under the optimal choice of parameters is broken under 
ciphertext-only attacks. The breaking algorithm is summarized in figure 3. 



Given the public-key and a ciphertext of the [AF03] -cryptosystem with parameters 
n, k, w, W. 

1. if ui < "~ 2 ~^ invoke case 1 of Coron’s attack. 

2. else invoke the CAP-1- algorithm of hgure 1, and recover the plaintext using 
Guruswami-Sudan algorithm (as described in proposition 3). 



Fig. 3. The attack against the Generalized Version of [AF03]-Cryptosystem 
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Note that the attack outlined above is probabilistic and is guaranteed to work 

with very high probability as we have shown in theorem 1 (for case 1 of Coron’s 

attack), and theorem 3 (for CAP-1- algorithm). 
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Abstract. An untraceable fair network payment protocol is proposed by 
Wang in Asiacrypt’03, which employs the existent techniques of the off- 
line untraceable cash and a new technique called restrictive confirmation 
signature scheme (RCSS). It is claimed that the fair payment protocol 
has both the fairness such that the buyer obtains the digital goods if and 
only if the merchant gains the digital cash and the untraceability and 
unlinkability such that no one can tell who is the original owner of the 
money. In this paper we show that the fairness is breached under a simple 
colluding attack, by which a dishonest merchant can obtain the digital 
money without the buyer obtaining the goods. We also apply the attack 
to some of the schemes of fair exchange of digital signatures proposed 
by Ateniese in ACM CCS’99. Our study shows that two of them are 
subjected to the attack. A countermeasure against the attack is proposed 
for the fair exchange of digital signatures. However, we are unable to fix 
the fair payment protocol if the untraceability and unlinkability are the 
required features. 



1 Introduction 

In Asiacrypt 2003, Wang proposed an untraceable fair network payment proto- 
col, which is claimed to have untraceability, unlinkability and fairness [25]. The 
protocol is for online purchasing of digital goods with digital money. A buyer 
withdraws untraceable and unlinkable digital cash from a bank and buys some 
digital goods from an online merchant with the digital cash. The fairness is a 
feature that prevents either the buyer or the merchant from taking the advan- 
tage of the other. It guarantees that the buyer can obtain the goods if and 
only if the merchant gains the money. The protocol combines the techniques 
of the untraceable offline e-coin ([8], [9]) and a new primitive called restrictive 
confirmation signature scheme (RCSS). By RCSS, a signature confirmed by a 
designated confirmer can only convince some specified verifiers. In this paper 
we present a colluding attack where a dishonest merchant can breach the fair- 
ness such that he can obtain the money without the buyer obtaining the goods. 
The problem with the protocol is that the money is the untraceable and unlink- 
able e-coin, which has no link with the buyer’s ID and hence can be separated 
from the RCSS-signed order agreement. That is the vulnerable point our attack 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 417-429, 2004. 
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exploits. The attack does not work if the digital money is internally linked to 
the buyer’s ID. But the untraceability and unlinkability would be lost in that 
case. 

We can also apply a similar colluding attack to the schemes of fair exchange 
of digital signature proposed by Ateniese in [4]. There are six schemes in [4] 
for fair exchange of 1) RSA signatures; 2) Gennaro-Halevi-Rabin signatures; 
3) Cramer-Shoup signatures; 4) Guillou-Quisquater signatures; 5) Schnorr (or 
Poupard-Stern) signatures; and 6) ElGamal (or DSA) signatures, respectively. 
We show that 5) and 6) are subject to the attack, while 1), 2), 3) and 4) are 
not. The schemes 1), 2) and 3) have the same principle as Boyd-Foo scheme in 
[7], where TTP performs different converting functions for different users. The 
colluding attack does not apply to such schemes. The scheme 4) is an improved 
version of Bao-Deng-Mao scheme in [5]. A flaw of [5], which was first pointed 
out in [7], is removed in 4). The reason why 5) and 6) are subject to the at- 
tack is that Schnorr signatures and ElGamal signatures have a special feature, 
which Guillou-Quisquater signatures do not have. The feature does not affect 
the security requirements of digital signature. However, it is the key point in 
determining whether the attack works. The feature will be discussed later in 
this paper. The attack works only if the system allows new users to register at 
any time. 

The rest of the paper is organized as follows. In Section 2, we describe the 
untraceable fair payment protocol proposed in Asiacrypt’03. In Section 3, we 
present a colluding attack breaching the fairness of the protocol and explain why 
the attack works. In Section 4, we describe the two schemes of fair exchange of 
digital signatures proposed in AGM GGS’99. In Section 5, we discuss the special 
feature of digital signatures that we exploit and present the colluding attack to 
the two schemes. We also give the countermeasure against the attack. Section 6 
concludes the paper. 

2 Untraceable Fair Network Payment Protocol 

In this section we describe the untraceable fair network payment protocol pro- 
posed in [25]. For simplicity, we skip the details of the building-block RGSS 
(restrictive confirmation signature scheme) and put it in the Appendix A for 
interested readers. We also simplify the description of the protocol by assuming 
that the payment is in one e-coin instead of n e-coins as in [25] . 

Entities 

hi — the buyer, who buys soft goods from the merchant. 

A4 — the merchant, who sells the soft goods to the buyer. 

B — the bank, who issues e-coins to the buyers. 

TTP — the trusted third party, who resolves dispute in payment protocol. 

System Parameters and Cryptographic Keys 

p,q,g — p,q large primes, q\p — 1, g a, generator of the subgroup Gq of order q 

of z;. 




Colluding Attacks to a Payment Protocol 419 



VBtXb — B's public and private keys, ys = mod p. 

VttPtXttp — TTP’s public and private keys, j/ttp = mod p. 

9u92 — two elements of Gq published by B, for e-coin scheme. 

Two Building-Block Techniques 

RCSS — restrictive confirmation signature scheme. In RCSS, a signature signed 
by a signer S can be confirmed by a confirmer C, and C can convince only some 
specified verifiers G that the signature is valid and truly signed by S. RCSS is 
the main technique designed for the fair payment protocol in [ 25 ]. It is denoted 
by SiguRcssiS, C,G,m). 

BP — interactive bi-proof of equality. In BP either log^, Y = log^ Z or 
logg^Y yf log^ Z is proved. The proof system is denoted by BP{a,Y, f3, Z) in 
[ 25 ], where no detailed description of BP is presented but the reader is referred 
to [ 16 ] and [ 19 ]. 

The untraceable fair network payment protocol consists of five processes, 
namely account opening, withdrawal, payment, dispute and deposit. The details 
are as follows. 

Account Opening 

The buyer U randomly selects mi G Zg and transmits I = gi^^ mod p to if 
1 92 yf 1 . The identifier / used to uniquely identify lA can be regarded as the 
account number of hi. Then B publishes (we omit mod p here) and 52^** 
so that U can compute z = 32"^® for himself. 

Withdrawal 

The buyer hi performs the following protocol to withdraw an e-coin from the 
bank: 

1 . B randomly selects w G Z* and sends Ci = and 62 = (192)^ to hi. 

2 . hi randomly selects s,Xi,X2 G Z* and computes A = (192)^, B = 91^^92^'^ 
and z' = z^. hi also randomly selects u,v,tc G Z* and computes e[ = 
ei“p",e2 = C2®“A" and (ac,bc) = {g*‘ ,yTTP*°)- Then hi sends c = c'/w 
mod q to B, where c' = R, z', e(, 62, 6c) + Oc mod q, where H is a, 
collision-free hash function to Z*. Note that (uc, 6c) is a pair of confirmation 
parameters. 

3 . B sends r = cxg -I- w mod q to hi. 

4 . hi verifies whether g’’ = and {Ig2Y = z‘^e2. If the verification holds, 

hi accepts and computes r' = ru + v mod q. Note that < A, B, (z', 6^,63, r' , 
<ic,bc) > represents a pseudo e-coin. 

Payment 

The Buyer hi and the merchant A 4 exchange the e-coin and the soft goods in 
this protocol. In the original protocol multiple e-coins are traded for the soft 
goods. We present a simplified version of one e-coin without loss of generality. 

1 . hi selects goods and signs an order agreement 9 = SignRcss{bi,M,TTP, OA), 
where OA = {IDu, purchase data/information, goods description, 

(A,B)}. 
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2. U sends the pseudo e-coin < A, B, (z', e[,e' 2 , r', Oc, be) > and 9 to M 

3. Ai verifies the pseudo e-coin and 9. If all of them are valid and A 1, then 
he sends d = H{A, B, IDj^, date/time) to U. 

4. U sends fci = duis + Xi mod q and k 2 = ds + X 2 mod q to U. In addition, 

U must run the interactive protocol of bi-proof BP{g, ac,yTTP, be) with A4 
to show logg Qe = be. 

5. M accepts the pseudo e-coin and the payment transcripts < A, B, {z' , 6^,62, 
r', Qe, be), (d, ki, k 2 ) > if the following verifications hold: 

gp _ y^'H(A,B,z' ,e[,e 2 ,bc)+ac^/^ 

Ar' _ ^/'K(A,B,z',e{,e'2,bc)+ac^/ 

91^^92^^ = A^B 

If the above verifications pass, A4 sends the soft goods to the buyer Id. 

6. Id checks the soft goods delivered by At. If it matches the description in OA, 
Id releases te to At. Since each one can check Ue = and be = yrTP*" by 
himself, the coin < A, B, {z' , 6^,62, r' , Ue, be, te), {d, fci, fe) > (i.e., the pseudo 
e-coin plus te) denotes a true e-coin that can be directly cashed from the bank. 

Disputes 

If Id refuses to send te to the merchant M, M begins the dispute process in 
which TTP can convert the pseudo e-coin into the true e-coin. 

1. M sends the order agreement OA, the RCSS signature 9, the soft goods and 
the pseudo e-coin < A, B, (z', e'^, e^, r', Ue, be), (d, fci, ^2) > to TTP. 

2. The TTP checks the validity of the soft goods, pseudo e-coin and signa- 

ture 9. If the pseudo e-coin is constructed properly, the soft goods from At 
is consistent with the description in OA, and 9 is valid, TTP sends Ai a 
transformation certificate TCer = (Ee,Te), where Ee = (o’ is a random 

number selected by TTP) and Te = a + XTTpF{ac, Ee) mod q {E is a, public 
collision- free hash function). The transformation certificate can be used to 
verify the relation of Oc and be by the following equation: 

a7<= = Eebe^^^^’^‘^ 

3. TTP sends the soft goods to the buyer Id. 

Deposit 

In a normal case, A4 forwards the payment transcript and the true e-coin 

< A,B, {z' ,e'i,e' 2 ,r' ,ae,bc,te),{d,k\,k 2 ) > to the bank for deposit. Neverthe- 
less, if Id maliciously aborts the payment process, Ai can start the dispute 
process to acquire the TCer from TTP. In this situation, the pseudo e-coin 

< A, B,{z' ,e[,e' 2 ,r' ,ae,be),{d,ki,k 2 ) > plus TCer = (Ee,Te) can be the valid 
token for deposit. We can also regard < A, B, (z', e(, e^, r', ae, be), {d, k\,k 2 ), {Ee, 
Te) > as a true e-coin with different form. 



3 Analysis of the Fair Payment Protocol 

Before presenting our analysis, we copy the claimed security features of the fair 
payment protocol, which are expressed in the form of propositions and lemmas 
in [25]. 




Colluding Attacks to a Payment Protocol 421 



Unforgeability. No one except U can create his own pseudo e-coin < A,B,{z', 
ei,e' 2 ,r', a^, &c), (c?, fci, ^ 2 ) >• 

Indistinguishability. No one can distinguish between a valid pseudo e-coin and 
a simulated one without the help of the buyer or TTP. 

Convertibility. If A4 accepts the pseudo e-coin, it is guaranteed that TTP can 
later convert the pseudo e-coins into the true e-coins which can be directly de- 
posited in the bank. 

Fairness. If the above unforgeability, indistinguishability and convertibility hold 
for the proposed payment protocol, it can be guaranteed that at the end of the 
transaction, the buyer U can obtain the soft goods if and only if the merchant 
M. can gain the equivalent true e-coin. 

Untraceability. No one except A4 and TTP can confirm the signature 9. That 
means only N4 and TTP can be convinced that the order agreement OA is valid. 

Unlinkability. The bank or other parties cannot link a coin < A, B, {z' , e{, e' 2 , r' , 
Oc, be) > to the original owner. 

Idea of the Colluding Attack 

In the fair payment protocol, the merchant M. colludes with his conspirator C. 
After M. receives the pseudo e-coin from the buyer U, M. brings the pseudo e- 
coin to TTP but claims that the trade is between C and At . Then the TTP will 
convert the e-coin to an equivalent true e-coin for At and send the soft goods to 
C, while hi will gain nothing. Next we present the attack in details and explain 
why there is no solution against the attack. 

Attack Details and Explanation 

1. The malicious merchant At honestly implements the Payment protocol till 
step 5. After the verifications pass, he halts the protocol. That is, he obtains 
the valid pseudo e-coin without giving the soft goods. 

2. Then At asks his conspirator C to sign a forged order agreement between At 
andC, O' = SignnessiC, M,TTP, OA') where OA' = {IDc,IDm, purchase 
data/information, goods description, (A,B)}. 

3. At starts the Dispute process by sending the order agreement OA', the RCSS 
signature O' on OA' , the soft goods and the pseudo e-coin < A, B, (z', e'^ , 63 , 
r',ac,bc), {d,ki,k 2 ) > to TTP. Note that TTP has no way to tell whether 
OA' and O' are consistent with the pseudo e-coin or not because of the 
unlinkability and untraceability. Note that the d in the pseudo e-coin is d = 
TL{A, B, IDm, date/time) instead oi d = TL{A, B, IDmJDu, date/time). If 
d is replaced with d = H{A,B,IDm,IDu, date/time), the attack does not 
work anymore but the unlinkability and untraceability would disappear. 

4. TTP converts the pseudo e-coin into a true e-coin for M. and forwards the 
soft goods to C. The buyer U is left without obtaining anything. 

5. The problem of the fair payment protocol is that the e-money is in the form 
of digital cash, which is generated with the bank’s private key and has no 
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link with the buyer hi. If the e-money is in the digital cheque form that is 
generated with lA's private key, the attack would not work. 

6. The protocol cannot be fixed by asking U to sign a pre-contract to indicate 
that the trade is between hi and M. or by any other means. The conspirator 
C can just simulate U by doing everything hi does. No one can distinguish C 
from hi since the money is unlinkable and untraceable. 



4 Fair Exchange of Digital Signatures 

Fair exchange protocols have been studied by many researchers in recent years 
in [1], [2], [3], [4], [5], [6], [7], [11] [12], [15], [20], [26] and many other papers. 
Among them, [2], [4] and [5] have the same principle in employing verifiable 
encryption schemes (VES) of digital signatures. In [4], six schemes are proposed 
in its sections 4.1, 4.2, 4.3, 4.4, 4.6 and 4.7, respectively. The first three schemes 
are actually not by VES but by the same method of [7]. The latter three schemes 
exploit the VES of Guillou-Quisquater signatures, VES of Schnorr signatures and 
VES of ElGamal signatures, respectively. We describe the latter two here in the 
same denotations as in [4]. Before our description, we introduce a technique that 
is the main building-block for the schemes. 

Building-Block EQ_DLOG{m] g\^ , g 2 ^; <7i, 52 ) 

EQ_DLOG{m]yi,y 2 ', gi, g 2 ) is a non-interactive proof system for proving 
Dlogg^yi = Dlogg.^y 2 without disclosing the value x = Dlogg^^yi = Dlogg^y 2 . 
The proof is associated with a message m. Here 51 , 2/1 G group Gi, 52 ) 1/2 G 
group G 2 , and at least one of Gi and G 2 has an unknown order with bit-length 
1. Let be a hash function {0, 1}* ^ {0, 1}^ and e > 1 be a security parameter. 
The proof if Q_I?LOG(m, 51 , 52 ; 5 i, 52 ) is implemented as follows. 

Prover: randomly choose t G [— 2'^^^+''), 2*^(*+*i], compute c = ii(TO|| 5 i|| 52 || 5 i|| 52 || 
5 i*|| 52 *) and s = t — cx (in integer Z). (s,c) is the proof/signature of EQ^DLOG 
{m; 51 , 52 ; 51 ) 52 )- 

Verifier: given (s, c) and (m, 51 , 52 ) 5i) 52 )) checkif c = 'H{m\\yi\\y 2 \\gi\\g 2 \\gi'‘yG\\ 
52 * 52 ^) and s G [— If both hold, the verification is passed. 

4.1 Fair Exchange of Schnorr Signatures 
Settings 

• System parameters: The system parameters are p, q and a, where p, q are 
primes and 5 |p — 1 , a is an element of order q of Z*. 

• TTP: TTP has a pair of public/private keys (n, 5 )/(factors of n) for ei- 

ther Naccache-Stern encryption scheme [18] (or Okamoto-Uchiyama encryption 
scheme [21]). The encryption of M under the public key (n, 5 ) is g^ mod n (or 
h^gM ]\/[ computed if the factors of n are known. It is claimed 

in [4] that both schemes can be adopted but for the sake of simplicity Naccache- 
Stern encryption scheme is employed. 
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• Alice: Alice has a pair of public/private keys y/a for Schnorr signature 
scheme where y = a'^ mod p. 

• Bob: Bob also has a pair of public/private keys for signature. Bob’s signa- 
ture on message M is denoted by Ssob(Af). 

• Message: m is a message, on which Alice and Bob are exchanging their 
signatures. 

Fair Exchange by Verifiable Encryption 

1. Alice generates her signature SAUceijn) = (s, e), where r = mod p, e = 
Ti.{m\\r) and s = k + ea mod q, for a randomly chosen k from Zg. The 
verification of SAUceiTn) is to check if e = H{m\\a^y~‘^). Alice encrypts s 
with TTP’s public key (n, g) by setting the ciphertext to be C = mod n. 
The e is left in plaintext, from which no one else can compute s. Since Alice 
knows s, she can implement EQ_DLOG{m] V, C; a, g) for V = mod p. 
Then Alice sends the verifiable encryption of ^AUceijn) to Bob. That is 
(C, e, V) plus the proof of EQ_DLOG{m;V,C;a, g). 

2. Bob checks the proof of EQ_DLOG{m;V,C;a,g) and e = H{m\\Vy~'^), if 
valid, sends SBobim) to Alice, otherwise does nothing. 

3. Alice verifies Bob’s signature and, if valid, sends SAUcei'm) to Bob. 

4. If Bob does not receive anything or if Alice’s signature is invalid, then he 
sends the verifiable encryption of SAUceini) and Ssob(w) to TTP. This pro- 
vides a vehicle for TTP to understand whether the protocol was correctly 
carried out. If this is the case, TTP sends SAUceim) to Bob and SBob{m) to 
Alice. 

4.2 Fair Exchange of ElGamal Signatures 

The settings are exactly the same as in the fair exchange of Schnorr signatures 
in Section 4.1. The scheme of fair exchange of ElGamal signatures is as follows. 

1. Alice generates her signature SAUceijn) = (s,r), where r = mod p and 

s = k'H{m) + ar mod q, for a randomly chosen k from Zg. The verification of 
SAJice(w) is to check if a® = mod p. Alice encrypts s with TTP’s 

public key (n, g) by setting the ciphertext to be C = g® mod n. The r is 
left in plaintext, from which no one else can compute s. Since Alice knows 
s, she can implement EQ_DLOG{m;V,G;a,g) for V = a® mod p. Then 
Alice sends the verifiable encryption of SAUcei'm) to Bob. That is (G,r,V) 
plus the proof of EQ_DLOG(m; V,G;a,g). 

2. Bob checks the proof of EQ_DLOG{m] V, G; a, g) and V = r^(’"^y’~ mod p, 
if valid, sends SBob{m) to Alice, otherwise does nothing. 

3. Alice verifies Bob’s signature and, if valid, sends SAUcei'm) to Bob. 

4. If Bob does not receive anything or if Alice’s signature is invalid, then he 
sends the verifiable encryption of SAUceini) and Sso6(w) to TTP. This pro- 
vides a vehicle for TTP to understand whether the protocol was correctly 
carried out. If this is the case, TTP sends SAUceim) to Bob and SBob{m) to 
Alice. 
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5 Colluding Attacks and Countermeasures 

5.1 A Feature of Digital Signatures 

The digital signatures we consider here are those that consist of two parts, such 
as the (s,e) of Schnorr scheme, the (s,r) of ElGamal scheme, the (d,D) of 
Guillou-Quisquater scheme and similar signatures of many other schemes. Let 
us denote a signature on message m with public/private keys PK/SK by {X, F), 
and the verification formula of the signature by 

Vef (m. A, F, PA) = 1 (1) 

The security requirement of digital signature demands that, for given PK, 
it is infeasible to compute m and (A, F) such that (1) holds without knowing 
SK. (That is the unforgeability in passive attack model. In active attack model, 
the security requirment is that it is infeasible to forge a valid signature without 
knowing SK even given a signing oracle.) However, the following feature is not 
prohibited for the security of signatures, while it plays an important role in our 
colluding attack. 

Feature. Given to, (A, F), PK that satisfy (1), it is easy to find F' yf F 
and PK' yf PK such that Vef(TO, A, F', PA') = 1 without knowing 
SK. 

Schnorr Signature. Given a signature (s,e) on message to such that e = 
H{m\\a"y~''), we can always find e' yf e and y' ^ y such that e' = H{m\\a"y'~^ ). 
We just take e' = A(TO||a^a;*) for a randomly chosen t G Zq, and then set 
x' = —tje' mod q and y' = K" mod p. Hence Schnorr signatures have the 
feature. 

ElGamal Signature. Given a signature (s,r) on message to such that a® = 
mod p, we can find r' yf r and y' ^ y such that a® = 
mod p. We take r' = (q;®/q;*)(^/^("') for a randomly chosen t € Zg, and 

then set x' = t/r' mod q and y' = K" mod p. Hence ElGamal signatures have 
the feature. 

Guillou-Quisquater Signature. In Guillou-Quisquater scheme, n = pq is gen- 
erated by a trusted center, where p and q are safe primes. A large prime v is 
selected, and n and v are published as system parameters. The p, q are recom- 
mended to be destroyed after that. (It is also allowed that n is generated by 
each signer. In that case different signer has different n,v.) The public/private 
keys J/B have relation P"J = 1 mod n. A signature {d,D) can be generated 
with the private key B by setting T = P, d = 7t(TO||T) and D = rB'^, where 
r is randomly chosen from Z„. The verification of (d,D) is d = Ti.{m\\D" J'^). 
To generate d' ^ d, J' ^ J such that d' = H{m\\D'" J''^ ) is not as simple as the 
problems for Schnorr and ElGamal signatures. We cannot solve the problem of 
computing the d'th-root mod n since the factorization of n is not known. 
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5.2 Attack to Fair Exchange of Schnorr and ElGamal Signatures 
Attack to Fair Exchange of Schnorr Signature by Dishonest Bob 

1. Alice generates her signature SAUceim) = (s,e), where e = H{m\\r) and 
s = k + ea mod q for randomly chosen k G Zq and r = mod p. The 
verification formula of SAUceiiTi) is e = H{m\\a^y~^). Alice encrypts s with 
TTP’s public key (n, g) by setting the ciphertext to be C = g® mod n. Then 
she implements EQ_DLOG{m]V,C;a,g) for V = mod p and C = g^ 
mod n. After that Alice sends the verifiable encryption of ^AUce(jn) to Bob, 
i.e., (C, e, V) plus the proof of EQ_DLOG{m] V, G; a, g). 

2. Bob checks the proof of EQ-DLOG{m;V,G;a,g) and e = 'H{m\\Vy~'^), if 

valid, halts the protocol. Then he computes e', y' such that e' = T-L{m\\Vy'~^ ), 
i.e., e' = 7t(TO||ya*) for t Gr Zq and y' = mod p, and asks 

his conspirator Cathy to register y' as her public key. Bob can ask Cathy to 
sign (C, e', F) and any other things that could be signed by Alice for any 
possible authentication. 

3. Bob sends (C, e', V), the proof of EQ_DLOG{m; F, C; a,g) and Ssob(w) to 
TTP and claims that the exchange is between Cathy and Bob. 

4. TTP first verifies the proof of EQ_DLOG{m-, F, C; a, g), then decrypts s and 
verifies whether (s, e') is a valid signature of Cathy and whether Sbo&(w) is a 
valid signature of Bob. If all the verifications pass, TTP sends Scathyi'm) = 
(s, e') to Bob and SBobim) to Cathy. Hence Bob obtains Alice’s signature 
(s, e) without Alice obtaining anything. 

Attack to Fair Exchange of ElGamal Signature by Dishonest Bob 

1. Alice generates her signature SAUceim) = {s,r), where r = mod p and 

s = k'H{m) + ar mod q for a randomly chosen k from Zq. The verifica- 
tion formula of SAUceim) is a® = mod p. Alice encrypts s with 

TTP’s public key (n, g) by setting the ciphertext to be C = g® mod n. 
Then she implements EQ_DLOG{rrv, V, C; a,g) for F = a® mod p. Finally 
Alice sends the verifiable encryption of SAiiceim) to Bob, which is (G,r,V) 
plus the proof of EQ_DLOG{m-, V, C; a,g). 

2. Bob checks the proof of EQ-DLOG{m; V,C;a, g) and a® = mod p, 

if valid, halts the protocol. Then he computes r', y' such that a® = 

mod p, i.e., r' = mod g) ^ yl _ Q,(t/r mod g) 

mod p, and asks his conspirator Cathy to register y' as her public key. Bob 
can ask Cathy to sign (C, r', F) and any other things that could be signed 
by Alice for authentication. 

3. Bob sends (G, r', F), the proof of EQ.DLOG{m; V, C] a,g) and S_Bob(w) to 
TTP and claims that the exchange is between Cathy and Bob. 

4. TTP first verifies the proof of EQ_DLOG{m-,V,C]a,g), then decrypts s 
and verifies if (s,r') is a valid signature of Cathy and if Ssob(w) is a valid 
signature of Bob. If the verifications all pass, TTP sends Scathyim) = (s, r') 
to Bob and SBob{iTi) to Cathy. Hence Bob obtains Alice’s signature (s,r) 
without Alice obtaining anything. 
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For some applications it is possible that message m implies the two parties 
to be Alice and Bob instead of Cathy and Bob. However TTP is not supposed 
to semantically understand the content of m. TTP only confirms that the m in 
the EQ_DLOG proof is identical to the m in the signatures. 

5.3 Countermeasures 

Before presenting our countermeasure, we show an interesting fact that the at- 
tack does not apply to DSA signatures. In DSA scheme, a signature (s, r) under 
public key y satisfies r® = mod p. Although it is also simple to com- 

pute r' ,y' such that r'* = a^^'^'^y''^ mod p, the attack does not work anymore 
because the commitment V is different from that of ElGamal signatures. In El- 
Gamal scheme P = a® while in DSA P = r®. Therefore, in DSA the proof 
is EQ_DLOG{m-,V,C;r,g). Recall that the proof of EQ_DLOG{m;V,C;r, g) 
is (c, cr) satisfying c = 7f(TO||P||C'||r||g||r‘^P'^||g'^C°). That is, r is included in 
the verification of (c, cr). An r' ^ r would make (c, cr) fail to pass the verifica- 
tion. Forging a new proof of EQ_DLOG{m]V,C]r' , g) is impossible since it is 
equivalent to knowing s. 

Now it is easy to see that the countermeasure is quite simple: Alice includes 
her ID (or her public key) into the proof, i.e., EQ_DLOG{m\\IDAUce', P, C; a,g). 
Even better, she includes more detailed information I about the exchange in the 
proof, i.e., EQ_DLOG{m\ |X; P, C; a, g). In such case, X is like a label that cannot 
be removed and replaced. While attaching ^AUceiX) is like a label stick from 
outside and can be replaced, and therefore is useless. The ASW fair exchange 
scheme in [2] is not subject to the attack since a similar label is adopted. 

Such label technique would destroy the untraceability and unlinkability, there- 
fore cannot be adopted to fix the fair payment protocol. 



6 Conclusions 

In this paper we present a colluding attack to breach the fairness of an untrace- 
able fair payment protocol and two schemes of fair exchange of digital signatures. 
Their fairness actually has no problem in the situation where only the entities 
described in the protocols exist. The cryptographic techniques employed are also 
secure and efficient. However, the security flaws appear if we consider the real 
situation where more entities exist. 

As many security experts have pointed out, security does not equal to cryp- 
tography and good cryptographic algorithms do not automatically guarantee the 
security of application systems. Every component is secure does not necessarily 
mean that the whole system is secure. For complex systems, security should be 
studied under various attacks from various angles very carefully. It takes long 
time and big effort before being able to make an assertion. 

Another viewpoint reflected from the result of this paper is that the concrete 
implementation is very critical to security. We show that a tiny difference, such 
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as whether to include r in EQ_DLOG{m] V, C; r, g), could make a big difference 

in security. Hence engineers who implement the security schemes should be very 

carefully in following every step of the schemes. 
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A Restrictive Confirmation Signature Scheme 

In [25], RCSS is designed as follows. 

- System Setup. The parameters p, q and g, where p, q are primes such that 

q\p — 1 and g is an element of Z* of order q. Fi, F 2 are two collision resistant 
functions. The private/public key pairs of the signer S, the confirmer C, 
the recipient R and the verifier V are {xs,yg^ mod p), {xc,y^ modp), 
{xR,y^ mod p) and (xy , mod p), respectively. 

- Signing Protocol. Assume the signer has signed an undeniable signature 
(a, &, 5) on message m related to the confirmer’s public key, i.e., a = g* 
mod p,b= yc* mod p and 6 = {Fi{m\ |a)-|-5)’”® mod p, where t is randomly 
chosen by S. For delegating C the ability of confirming this signature, the 
signer randomly selects k,u,Vi,V 2 and constructs a proof of 

{w, z,u, Vi,V2) = ProofDVLogEQ{c,g,ys,Fi{m\\a) +b,6,yv), 

where c = (ci||c 2 ), ci = mod p, C 2 = g'^yc'"^ mod p,w = T 2 (c|| 5 ||ps|| 

F’i(mjla) -I- &|j^||p^||(Fi(TO||a) -b b)^) and z = k — xs{w + u) mod q. Thus, 
the RCSS on m denotes SigriRcssiS, C, V, m) = (a, &, u, v\,V 2 ,w, z, 6). 
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Proof by the Signer. The confirmer C also plays the role of the recipient 
R. That means C will be convinced that he is able to prove the validity 
of the signature to V in this procedure. C checks the proof by computing 
c = {{g'^yv^^ mod p)\\{g^yc'^‘^ mod p)) and verifying if 

w = F2{c\\g\\ys\\Fi{m\\a) + 

To prove the relation of a and b, the signer needs to run the interactive 
protocol of bi-proof BP{g, a, yc, b) to show log^ a = log^^ b. 

Confirmation Protocol. The confirmer C can prove the validity of the 
signature to V by running the interactive protocol bi-proof BP{g,yc,a,b) 
with V to show logg yc = log^j b. The verifier V needs to check whether the 
signature (a, b, u, vi,V2, w, z, 6 ) is created properly, and he can be convinced 
that the signature is valid if he accepts the proof of BP{g, yc, a, b). 
Conversion Protocol. The confirmer can convert the designated confirmer 
signature to a general non-interactive undeniable signature. Since the signer 
has constructed the designated verifier proof in a non-interactive way, V can 
check the validity of the signature by himself. The verifier V no longer needs 
to ask C to help him verify the signautre. Here, C randomly selects a G Z* 
and computes E = a'^ mod p and T = tr -I- xcF{a,E) mod q, where F is 
also a hash function. The confirmer sends {E, T) to the verifier V, thus, V 
can verify if [10]. 
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Korea now has world-class IT infrastructure such as broadband Internet and 
mobile communications, and produces high-quality products based on broad- 
band networks and IT technologies including semiconductors, mobile handsets, 
digital TV, etc. The achievement was made possible thanks to new services that 
create demand, establishment of infrastructure that enables the provision of new 
services, and enhanced manufacturing capability. To formulate a new virtuous 
cycle, the Ministry of Information and Communication (MIC) developed the 
IT839 Strategy. 

The IT839 strategy is composed of 8 services, 3 infrastructures and 9 new 
growth engines. 8 services are WiBro (Wireless Broadband) Service, DMB 
(Digital Multimedia Broadcasting) Service, Home Network Service, Telematics 
Service, RFID-based Service, W-CDMA Service, Terrestrial Digital TV, and In- 
ternet Telephony (VoIP). 3 infrastructures are Broadband Convergence Network 
(BcN), Ubiquitous Sensor Network (USN), and Next-Generation Internet Proto- 
col (IPv6). And 9 new growth engines are Next-Generation Mobile Communica- 
tions, Digital TV, Home Network, IT System on Chip (SoC), Next-Generation 
PC, Embedded SW, Digital Contents, Telematics, and Intelligent Service Robot. 
The success of the Strategy will enhance the quality of our lives and bring us 
into ubiquitous society. 

But, with the advance of new services, intelligent devices such as telematics, 
home networking, and digital TV, the adverse effect of information society would 
become one of the major concerns in forthcoming information society. Users 
living in ubiquitous society propelled by IT839 Strategy will be very sensitive 
to security and privacy issues. We anticipate possible new information security 
threats. These are the diffusion of threats caused by network convergence, a sheer 
of collection and disclosure of personal information through pervasive devices, 
unestablished authentication framework for emerging transaction devices, and 
transition from the threats of the cyberspace into ones of the real world. 

If we fail to prepare for adequate and timely policies and related technical so- 
lutions to cope with such security and privacy challenges, IT839 Strategy would 
not be successfully implemented in our society. For IT839 Strategy to be suc- 
cessful, we need the proper security policies to overcome the anticipated threats 
of the future. First, to develop trustworthy convergent network, we will develop 
cryptography and authentication technologies for secure network connection, 
agent technology for rapid hand-off, and will standardize interface technologies 
for secure interoperability among different networks. Secondly, to ensure ubiqui- 
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tons service’s safety, we will establish safety criteria for new intelligent devices, 
develop lightweight cryptography technologies for privacy protection, and de- 
velop DRM (Digital Right Management) technologies for protection of illegal 
digital contents distribution. Lastly, we will improve legal system in preparation 
for the future IT environments, and will try to formulate security culture. 

It is obvious that a higher level of information security will be required to 
effectively sustain the ubiquitous society. For information security to be more 
effective, we should take not only technological countermeasures but also social 
and legal ones. MIC will try to build secure Korea by means of considering 
information security from the initial stage of IT839 Strategy implementation. 
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Abstract. Several generalizations of linear cryptanalysis have been pro- 
posed in the past, as well as very similar attacks in a statistical point 
of view. In this paper, we define a rigorous general statistical framework 
which allows to interpret most of these attacks in a simple and unified 
way. Then, we explicitely construct optimal distinguishers, we evaluate 
their performance, and we prove that a block cipher immune to classical 
linear cryptanalysis possesses some resistance to a wide class of general- 
ized versions, but not all. Finally, we derive tools which are necessary to 
set up more elaborate extensions of linear cryptanalysis, and to general- 
ize the notions of bias, characteristic, and piling-up lemma. 

Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. 



1 A Decade of Linear Cryptanalysis 

Linear cryptanalysis is a known-plaintext attack proposed in 1993 by Matsui 
[21, 22] to break DES [26], exploiting specific correlations between the input and 
the output of a block cipher. Namely, the attack traces the statistical correlation 
between one bit of information about the plaintext and one bit of information 
about the ciphertext, both obtained linearly with respect to GF(2)^ (where L 
is the block size of the cipher), by means of probabilistic linear expressions, a 
concept previously introduced by Tardy-Corfdir and Gilbert [30]. 

Soon after, several attempts to generalize linear cryptanalysis are published: 
Kaliski and Robshaw [13] demonstrate how it is possible to combine several in- 
dependent linear correlations depending on the same key bits. In [31], Vaudenay 
defines another kind of attack on DES, called y^-attack, and shows that one can 
obtain an attack slightly less powerful than a linear cryptanalysis, but without 
the need to know precisely what happens in the block cipher. Harpes, Kramer, 
and Massey [7] replace the linear expressions with so-called I/O sums, i.e., bal- 
anced binary-valued functions; they prove the potential effectiveness of such a 
generalization by exhibiting a block cipher secure against conventional linear 
cryptanalysis but vulnerable to their generalization. Practical examples are the 
attack of Knudsen and Robshaw [15] against LOKI91 and the one of Shimoyama 
and Kaneko [28] against DES which both use non-linear approximations. 

In [8], Harpes and Massey generalize the results of [7] by considering par- 
titions pairs of the input and output spaces. Let X = {Xi,X 2 , - ■ ■ ,Xn\ and 
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y = {3^1, 3^2, ■ • ■ 5 3^n} be partitions of the input and output sets respectively, 
where Xi and 3^1 are called blocks. The pair (X,y) is called a partition-pair 
if all blocks of X (respectively 3^) contain the same number of plaintexts (re- 
spectively ciphertexts). A partitioning cryptanalysis exploits the fact that the 
probabilities Pr [(A, ffe(A)) G {X ,y)\ may not be uniformly distributed for a 
block cipher when the plaintext X is uniformly distributed. In order to char- 
acterize the non-uniformity of a sample distribution, Harpes and Massey con- 
sider two “measures” called peak imbalance and squared Euclidean imbalance. 
Furthermore, they observe on toy-examples that the latter seems to lead to 
more successful attacks. These results are completed by Jakobsen and Harpes 
in [10,9], where they develop useful bounds to estimate the resistance of block 
ciphers to partitioning cryptanalysis, with the help of spectral techniques; these 
bounds are relative to the squared Euclidean imbalance only, but this choice is 
not motivated in a formal way. To the best of our knowledge, the first practi- 
cal example of partitioning cryptanalysis breaking a block cipher is the attack 
known as “stochastic cryptanalysis” [24] proposed by Minier and Gilbert against 
Crypton [17,18]. 

In recent papers, Junod and Vaudenay [12, 11] consider linear cryptanalysis in 
a purely statistical framework, as it was done for the first time by Murphy et al. 
[25] , for deriving optimal key ranking procedures and asymptotic bounds on the 
success probability of optimal linear distinguishers. A somewhat similar approach 
is chosen by Coppersmith et al. [1], except that it is adapted to stream ciphers. 
One can note that tight results about optimal distinguishers allow furthermore 
to derive useful security criteria. 

Finally, the NESSIE effort resulted in a few papers investigating the power 
of linear (or non-linear) approximations based on different algebraic structures, 
like Z4. For instance, Parker [27] shows how to approximate constituent func- 
tions of an S-box by any linear function over any weighted alphabet. However, 
Parker observes that it is not straightforward to piece these generalized linear 
approximations together. In [29], Standaert et al. take advantage of approxima- 
tions in Z4 by recombining the values in order to reduce the problem to the 
well-known binary case; they obtain more interesting biases comparatively to a 
classical linear cryptanalysis. 

Notation. Throughout this paper, random variables A, Y, . . . are denoted by 
capital letters, whilst their realizations x G X,y G y, . . . are denoted by small 
letters. The cardinal of a set X is denoted \X\. The probability function of 
a random variable A following a distribution D is denoted Pr □ [x] or abu- 
sively Prx [x], when the distribution is clear from the context. For convenience, 
sequence Ai, A2, . . . , A„ of n random variables is denoted A”. Similarly, a se- 
quence xi, X2, . . . , Xn of realizations is denoted x". We call support of a distri- 
bution D the set of all x G X such that Pr □ \x] yf 0. As usual, “iid” means 
“independent and identically distributed” . The transpose of a linear function h 
is denoted ^h. 1 a is 1 if the predicate A is true, 0 otherwise. Finally, denotes 
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the inner product. The distribution function of the standard normal distribution 
is denoted 

1 

/ e~^'^^du . 

2 Optimal Distinguisher Between Two Sources 

In this section, we shall consider a source generating a sequence of n iid random 
variables Z" following a distribution D and taking values in a set Z. We wonder 
whether D = Dg or D = Di (where Di is referred to as an “ideal distribution”), 
knowing that one of these two hypotheses is true. An algorithm which takes a 
sequence of n realizations 2 :” as input and outputs either 0 or 1 is known as 
a distinguisher limited to n samples. It can be defined by an acceptance region 
A C Z” such that the distinguisher outputs 0 (respectively 1) when 2 ” G A 
(respectively 2 ” ^ A). The ability to distinguish a distribution from another is 
known as the advantage of the distinguisher and is defined by 

Adv(^ = Pr Dj [A] - Pr d» [A] , 

which is a quantity an adversary would like to maximize. The distinguisher can 
make two types of mistakes: it can either output 0 when D = Di or output 1 when 
D = Dq. We denote a and /3 the respective error probabilities and Pe = |(a + /3) 
the overall probability of error. We can assume without loss of generality that 
Pe < 5 ; we easily obtain that Adv(\ = 1 — 2 Pg. 

2.1 Deriving an Optimal Distinguisher 

We describe here how to derive an optimal distinguisher for the scenario de- 
scribed below [1, 11]. Clearly, Pe = 5 - 5 [^”0’ 

therefore that the set minimizing^ Pe is 

Pr 

A = { 2 " G Z” : LR( 2 ”) > 1} where LR( 2 ”) = — ° (1) 

^ V ; - j Pro" [^"] 

stands for likelihood ratio‘s. It defines an optimal distinguisher, i.e., with max- 
imum advantage given a bounded number of samples and with no assumption 
on the computational power of the adversary. 

In order to take a decision, a distinguisher defined by (1) has to keep in 
memory the results of the n queries, which is not feasible in practice if n grows. 
Fortunately, it is possible to derive an equivalent distinguisher with jZj counter 
values N(a| 2 "), each one counting the number of occurrence of a certain symbol 
a of Z in the sequence 2 ”. We summarize this in the following result. 

^ Note that we could have equivalently chosen a strict inequality in (1). 

^ The likelihood ratio builds the core of the Neyman-Pearson lemma [2-Ch. 12]. 
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Proposition 1 {Optimal Distinguisher). The optimal acceptance region to 
test D = Do against D = Di is Aopt = {z^ G Z” : LLR( 2 ;”) > 0} where 

LLR{z-)= 

s.t. N(a|z^)>0 

is the logarithmic likelihood ratio, with the convention that log 2 = — oo and 
log ^ = +00 (the log 2 case can be ignored), and where N(a| 2 :”) is the number 
of times the symbol a occurs in the sequence G Z". 

Given the number of realizations n, we can compute the exact advantage of 
the optimal distinguisher. Let [Dq]" and [Di]” be the vectors defined by 

=PrD- with j G {0, 1} , 

which are a specific case of n-wise distribution matrices of the Decorrelation 
Theory [33] in a simplified case as we have no input here, only outputs Zi. The 
probability that the distinguisher outputs 0 when D = Dj is 
for j G {0,1}. The advantage is thus ([^o]z»* — [Di]zn)|- Since ^opt 

maximizes the sum, we obtain 

AdvX,, = ^|| [Do]” -[Dr]" 111 , 

where the norm || • ||i of a vector A is defined by || A ||i= Xi \^i\- Note that 
the statistical framework of Coppersmith et al. [1] is based on this norm. 

2.2 Complexity Analysis 

In this section, we compute the number of queries the optimal distinguisher 
needs in order to distinguish Dq from Di, given a fixed error probability Pg. 

Definition 2. The relative entropy or Kullback-Leibler distance between two 
distributions Dq and Di is defined as 

D{Do II Di) = ^Prpo Nlog jj , 

with the convention that Olog ^ = 0 and plog ^ = +oo for p > 0. 

We will refer to this notion using the term relative entropy as, being non- 
symmetric, it is not exactly a distance. Nevertheless, it is always positive since 
— log is convex. Using this notation, the following proposition can be proved. 

Proposition 3. Considering that Zi, Z 2 , . . . is a sequence of iid random vari- 
ables of distribution D and that Dq and Di share the same support, 

\LLR{Z^)-ng 




awn 



(2) 
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assuming that fj, 
and that is 



= fj,j with fj,o = I?(Do |j Di) > 0 and /ii = 



SP'-d.W 

Z^Z 




Pr Do [^] \ 

Proi [z]) 



2 




when D = for j G {0, 1}. 



-D{Di II Do) < 0, 

(3) 



Proof. We first note that the logarithmic likelihood ratio can be expressed as a 
sum LLR(Z") = i?i + • • • + i?„ where 



, lzi=zlog 



z^Z 



Pr [ 
Pr r 



where every Zi follows distribution Dj (so that the Rfs are iid). The Central 
Limit Theorem then states that Pr |(LLR(Z") — ng,j) / {aj^/n) < t] converges 
in distribution towards d>(t), where /Xj = Eqj [Ri] and = Varo^- Some 
straightforward computations lead to the announced result. Note that the as- 
sumption that both distributions share the same support is necessary for /Xj and 
Uj to be well defined. □ 



We now assume that the distributions Dq and Di are close to each other, 
since it is the usual encountered case in practice. 



Assumption 4. Considering that Dq is close to Di, we can write 

'iz^Z ■. Pr Do [z] = Pz -I- and Pr Di [z] = Pz with |ez|<p 2 . 

Note that in such a case we can approximate LLR( 2 ;”) by 
Proposition 3 can now be simplified using Taylor series. 



Proposition 5. Under the hypothesis of Proposition 3 and of Assumption 4 we 
have, at order two: 



Po 



-Pi 






— and 



o-Q 






z^Z ’ 



E 

z^Z 



Pz 



We can finally derive a heuristic theorem giving the number of samples the 
distinguisher needs, together with the implied probability of error, in order to 
distinguish close distributions with same support. 



Theorem 6. Let Zi, . . . , be iid random variables over the set Z of distribu- 
tion D, Do and Di be two distributions of same support which are close to each 
other, and n be the number of samples of the best distinguisher between D = Dq 
or D = Di. Let d be a real number such that 



e| ^ 2D{Do II Di) ' ' 

Pz 

(where Pz = Pr Qi [z] and Pz = Pr Dq [z])- Then, the overall probability of 
error is Pg « ^{—Vd/2). 
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Proof. If d is such that fi = ^ d/n d, where fi and d respectively denote 
the approximation of /io and (Tq at order 2, we obtain (4). By definition Pe = 
i(l — Pr Di [LLR < 0] + Pr Dj, [LLR < 0]). However 



Pr Dj [LLR < 0] = Pr 



LLR — n/ij 
. CTjVn 




4> 




where we make the usual approximation that the left hand side of (2) can be 
approximated by 4>(t). Therefore, as Proposition 5 states that /Tq « — /ii « fi and 

that (To ~ cn ~ d, we have Pe « | — ^{Vd/2) + 4)(— -\/d/2)^ = ^(—Vd/2). 

□ 



Note that it may be possible to obtain strict tight bounds instead of an 
approximation for Pe using, for instance, Chernoff bounds. 



2.3 Case Where the Ideal Source Is Uniform 



From now on, we assume that Di is the uniform distribution. When Dg is a 
distribution whose support is X itself and which is close to Di, Theorem 6 can 
be rewritten with 

d 




z^Z 



This shows that the distinguishability can be measured by means of the 
Euclidean distance between Dq and Di. In the very specific case where Z = 
{0, 1}, we have eg = —ei = e and one can see that n is proportional to e~^. It is 
a well accepted fact that the complexity of linear cryptanalysis is linked to the 
inverse of the square of the bias [21] which is, as we can see, a consequence of 
Theorem 6. We now recall what appears to be the natural measure of the bias 
of a distribution, considering the needed number of samples and Assumption 4. 



Definition 7. Let = Pr Qq [-^j — pj . The Squared Euclidean Imbalance^ (SEI ) 
Z\(Do) of a distribution Dg of support Z from the uniform distribution is defined 
by 

A(Dg) = |Z|^e2 ^ 

z^Z 



It is well-known (see [6, 14]) that a cryptanalysis needs 0(l/Z\(Dg)) queries 
to succeed, which is by no means worse, up to a constant term, than an optimal 
distinguisher. Junod observed [11] that a statistical test is asymptotically 
equivalent to a generalized likelihood-ratio test developed for a multinomial dis- 
tribution; although such tests are not optimal in general, they usually perform 
reasonably well. Our results confirm this fact: a cryptanalyst will not loose any 



® Although this appellation coincide with the one of [7], note that the definitions 
slightly differ. 
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essential information in the case she can describe only one of the two distribu- 
tions, but the precise knowledge of both distributions allows to derive an optimal 
attack. In other words, when it is impossible to derive both probability distri- 
butions, or when an attack involves many different distributions and only one 
is known, the best practical alternative to an optimal distinguisher seems to be 
a attack, as proposed in [31]. This fact corroborates the intuition stipulating 
that attacks are useful when one does not know precisely what happens in 
the attacked block cipher. 

2.4 Case Where the Source Generates Boolean Vectors 

We assume here that random variables are bitstrings^, so that Z = {0, 1}^. 

Definition 8. Following the notations of Assumption 4, let Dq be the distribu- 
tion defined by the set {ez}z^z, Di being the uniform distribution on Z. We 
define the Fourier transform of Dq at point u G Z as 

= . (5) 

The involution property of the Fourier transform leads to 

= ■ ( 6 ) 
uez 

The next property can be compared to Parseval’s Theorem. 

Proposition 9. In the case where Di is the uniform distribution over Z = 
{0, ly, the SEI and the Fourier coefficients are related by: 

A{Do) = Y.e^ . 

We now recall the definition of the linear probability [23], which plays a 
central role in the context of linear cryptanalysis. 

Definition 10. The linear probability of a boolean random variable B is 
LP{B) = (Pr [5 = 0]- Pr [B = l]f = (2Pr [5 = 0]- 1)^ = (e [(-1)^] . 



Proposition 11. Let Z = {0, 1}^. If Z G Z is a random variable of distribution 
Do, the SEI and the linear probability are related by: 

Zl(Do) = ^ lP{wZ) . 

wez\{o} 



^ Note that all the study below extends in a straightforward way to .2 = GF(p)^ for 
a prime p by replacing (—1) by e r and by using the conjugates of and tz in (5) 
and (6) respectively. For simplicity we restrict ourselves to GF(2). 
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Proof. By using (5) we have = Edq [(—1)“'^] — lltt=o- Proposition 9 gives 

^(Do) = E„e2\{0} (Edo [(-1)“'^])' = E„e2\{0} LP(«^ ' ^)- □ 

Corollary 12. Let Z be a random variable over Z = {0, 1}^ of distribution Dq 
and lef’ be the maximum of LP('u; • Z) over w G Z \ {0}. We have 

Zl(Do) < (2^-1) LPl, . 

Theorem 6 and Corollary 12 together mean that the complexity of the best 
distinguisher between two distributions of random bit strings can decrease with 
a factor up to 2^ when compared to the best linear distinguisher. It is interesting 
to note that there are cases where this bound is tight. For example if Dq is such 
that Proo [z] is ^ + (l — ^) 7 if z = 0, and ^ — ^7 otherwise (where 7 is a 
positive constant), it can be shown that LP('u; • Z) = 7^ for all ic yf 0. Hence 
Z\(Do) = (2^ - 1)7^ and LP^ax = 7^- 

2.5 Statistical Distinguishers 

In the last section, we have been trying to distinguish two random variables 
following two distinct distributions in a set Z = {0, 1}^ where £ should not be too 
large from an implementation point of view. If we try to distinguish two random 
variables distributed in some set {0, 1}^ of large cardinality (e.g. where L = 128), 
we won’t be able to implement the best distinguisher of Proposition 1 as the 
memory requirement would be too high. Instead, we can reduce the source space 
to a smaller space Z = {0, 1}^ by means of a projection^ h : {0, 1}^ ^ Z defining, 
for a random variable S € {0, 1}^ of distribution D, a random variable Z = h{S) 
of distribution D. Here we consider that /i is a balanced function and that Di is a 
uniform distribution, so that Di is a uniform distribution as well. This is a typical 
construction in a real-life block cipher cryptanalysis, where the block length is 
quite large. Now, even though we know which distinguisher is the best to use in 
order to distinguish Dq from Di, it is still not clear how the projection h has to be 
chosen. Probably the most classical example arises when £ = 1 and h{S) = a ■ S 
for some non-zero a € {0,1}^. We then talk about a linear distinguisher. In 
this case, we note that 2 \(Dq) = LP(a • S) < Modern ciphers protect 

themselves against that type of distinguisher by bounding the value of 
A natural extension of the previous scheme would be to consider any linear 
projection onto wider spaces, e.g. to consider h{S) G Z = {0, 1}^ (where ^ > 1 
is still small) such that h is GF(2)-linear. We then talk about an extended linear 
distinguisher. It seems natural to wonder about the complexity gap between 
linear cryptanalysis and this extension. The following theorem proves that if 
a cipher provably resists classical linear cryptanalysis, it is (to some extent) 
protected against extended linear cryptanalysis. 



® We make a slight abuse of notation since LP^^x is not a random variable depending 
on Z, but a real value depending on the distribution of Z. 

® We borrow this appellation from Vaudenay [31]; the same expression is used within 
Wagner’s unified view of block cipher cryptanalysis [34] as well. 
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Theorem 13. Let S be a random variable over {0,1}^. Whenever the source 
space is reduced by a projection h : {0, 1}^ — > {0, 1}^ in a GF{2)-linear way, we 
have Z\(M^))<(2^-1)LPL,. 

Proof. We use Proposition 11 and the fact that w ■ h{S) = *h{w) ■ S. □ 

A classical example of a linear space reduction arises when considering con- 
catenation of several projections. For example, denoting Dg*^ = for 

i e {1,...,^} where h^‘^ : {0, 1}-^ ^ {Oj 1} is linear, we consider h(S) = 
(h^^^(S), . . . , . This corresponds to the works of Kaliski and Robshaw 

[13] (where different linear characteristics involving identical key bits are merged) 
and of Junod and Vaudenay [12] (where different linear characteristics involving 
different key bits are merged). In the latter situation, if no assumption is made 
about the dependency among the Z\(Dg*^)’s, Theorem 13 tells us Z\(Dg^^ x • • • x 
Dq^^) < ( 2^ — l)LPmax- The following proposition tells us what happens in gen- 
eral when the Dg*^’s are independent but do not necessarily come from a linear 
projection nor a Boolean projection. 

Proposition 14. Consider the case where Dq = Dg^^ x • • • x Dg^^ . If , . . . , Dg^^ 
are independent distributions, then Z\(Do)-l-l = Y[i=i (2\(Dg*^) -|- 1^ . Therefore, 
Z\(Dg) can be approximated by the sum of the Z\(Dg*^) ’s. 

Proof. For the sake of simplicity, we restrict this proof to the case where Dq = 
d(“)x Dq^^. Let Z = {A, B) where A and B are two independent random variable 
following distributions Dg“^ and Dg^^ respectively. As in Proposition 11, we have 

Z\(d[,“^ X D^,*'^) = ^ (E [(_i)«'^®™-s])2 

= ^ (E[(_ 1 )-^])"(E[(- 1 )-^])" 

= (z\(d(“Vi) (zi(D<')) + l) -1 . 

□ 

This result tells us that merging £ independent biases should only be consid- 
ered when their respective amplitudes are within the same order of magnitude. 

In the light of the preceeding discussion, the cryptanalyst may wonder if it 
is possible to find a distinguisher with a high advantage even though the value 

O 

of is very small. We provide an example for which it is indeed the case. 

Example. Consider a source generating a random variable S = {X \, . . . , Xn+i) € 
where n is some odd large integer, and we represent Z4 by {0, 1}^ in binary. 
Here we have L = 2n-\-2. If the source follows distribution Dq, then Xi, . . . , A„ e 
Z4 are uniform iid random variables and A„_|_i = (V -|- X^r=i mod 4, where 
Y € {0, 1} is a uniformly distributed random variable independent of Xi , . . . , X„. 
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If the source follows distribution Di, S' G is uniformly distributed. It can 

be shown (see Appendix A) that On the other hand, if we 

let h : ^ Z 2 be such that h{S) = msb ((A„_|_i — X^r=o (where 

msb stands for most significant bit), we have 1=1 and a SEI equal to 1, so that 
A(Dq) Do can be distinguished from Di despite LP^g,^ is small. 

This example shows that Theorem 13 tells us nothing about the SEI whenever 
the plaintext space is reduced by a non-linear projection. Therefore, even though 
LPmax is very low, there may exist some tricky non-linear projections which lead 
to significant breakdown of the complexity of distinguishers, i.e., there may be 
something beyond linear cryptanalysis. 



3 Optimal Distinguisher Between Two Oracles 

So far we discussed how to distinguish random sources. Now we investigate 
applications for distinguishing random oracles, such as block ciphers, and how 
to transform this into the previous problem. 

We consider the random variable Z taking values in 2^ to be a couple of ran- 
dom variables (A, Y) taking values in A x 3?. As discussed in Sect. 2.5, the couple 
{X, Y) can be seen like the image of a plaintext/ciphertext couple (P, C) by some 
balanced projections (p and p) (which actually define the statistical cryptanalysis 
in use); in other words, the adversary queries the oracle for known-plaintext pairs 
and compute the projections (p and ip to sample (A, F). For simplicity reasons, 
we focus our study on known-plaintext attacks (such as linear cryptanalysis) 
and thus, we consider that A is uniformly distributed. The distribution of Y is 
defined by a transition matrix T such that 

[Tl,y = Pr [F = y\X = x] = Pr [iP(C) = y\P{P) = x] . 

The transition matrix T can either be Tg or Ti, where Ti is the uniform 
transition matrix (i.e., \Ti]x^y = y^). The distribution D of Z depends on the 
transition matrix T. We will denote it Dg (respectively Di) when T = Tq (re- 
spectively T = Ti). We can see that if T = Ti, as A is uniformly distributed, 
the distribution Di of Z is also uniform. Therefore, all the results presented so 
far can be applied to the particular case we study here. Indeed, if we note that 

Pro [z] = Yt [X = x,Y = y] = [T^yPr [A = a:] . 

We can express Proposition I in terms of the transition matrices. 

Proposition 15 {Optimal Binary Hypothesis Test with Transition Ma- 
trices). The optimal acceptance region to test D = Dg against D = Di (where 
Di is the uniform distribution), that is to test T = Tq against T = T\, is 

Aopt = y") G A” X 3 ^” : LLR(a;", y") > 0} 
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where 

LLR(a:",y")= ^ N((a;, y)|^") log 

(x,y)GXxy ^ ^ 

s.t. N((a:,i/)|z")>0 

with the conventions used in Proposition 1. 

In the next sections, we derive the complexity of this distinguisher, discuss 
the relationship between our model and previous work, and study how Matsui’s 
Piling-up Lemma [21] extends to our model. 



]x,y 

]^,y 



3.1 Cryptanalysis Complexity 

We introduce the notion of bias matrix B ~ Tq — Ti. Note that [B]x,y = 0 

when X is uniformly distributed and that '^y^y[B]x,y = 0 in any case. Similarly 

to Definition 8, the Fourier transform B of the bias matrix B is such that 




^_l'jU-x<Sv-y |-jgj 

(x,y)(^Xxy 



Furthermore, we define LPM, the linear probability matrix, by [LPM]^^ = 0 
if u = u = 0 and by [LPM]^ ^ = LP(m ■ X(Bv-Y) otherwise. It can be noted that 

^l2 2 

B\ = \X\ [LPM]^ With the notations we just introduced, it is possible to 



derive the complexity of the best distinguisher between two oracles as a simple 
consequence of Theorem 6 and of Proposition 1 1 . 



Proposition 16. Let n be the number of queries of the best distinguisher be- 
tween To and T\, which are supposed to be close to each other and of same 
support. Then the overall probability of error is Pe « 1 — ^{Vd/2), where d is a 
real number such that n = d/Z\(Do). Furthermore, as 



^(Do) 



Mil B||2= ^ 



B 



{u,v)&xxy 



n can be equivalently expressed in terms of the bias matrix, of its Fourier trans- 
form, or of the linear probability matrix (and thus, of the linear probabilities). 

Matsui’s linear expressions are a very particular case of the transition matri- 
ces we have defined at the beginning of Sect. 3. Indeed, choosing balanced linear 
projections (/), ■0 : {Oj 1}^ ^ {Oj 1} is equivalent to choose input/output masks 
on the plaintext/ciphertext bits. The respective shapes of the corresponding bias 
matrix, of its Fourier transform, and of the LPM matrix are 



B = 





, and LPM 




where e is nothing but the bias of Matsui’s linear expressions. According to 
Proposition 16, we see that the complexity of the distinguishing attack is pro- 
portional to jj B 11^^, which is a well known result in linear cryptanalysis, for 
which II B || 2 = 4e^. 
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Fig. 1. Two rounds of an iterated block cipher 



There is an intuitive link between linear probability matrices and corre- 
lation matrices [3]. Recall that the correlation matrix of a Boolean function 
/ : {0,1}” ^ {0,1}'” is the 2'" x 2" matrix such that = 

2Pr [u ■ f{P) (B V ■ P] — 1, where the probability holds over the uniform dis- 
tribution of P, so that ^ = LP(m • f{P) © v ■ P). We see that correlation 

matrices are strongly related to the linear probability matrices in the specific 
case where 4> and ip are identity functions (i.e., no reduction is performed on the 
plaintext space). 



3.2 Piling-Up Transition Matrices 

A distinguishing attack on an iterated cipher is practical on condition that the 
cryptanalyst knows a transition matrix spanning several rounds. In practice, the 
cryptanalyst will derive a transition matrix on each round and, provided that 
the projections were chosen carefully, pile them in order to obtain a transition 
matrix on several rounds of the cipher. 

We consider the scenario where a block cipher is represented by a random 
permutation C over {0, 1}^ (L denotes the block size of the cipher), where the 
randomness comes from the key. Moreover we suppose that the block cipher is 
made of two rounds corresponding to the succession of two random permutations 
and In other words C = o We denote g {0,1}^ 

the respective inputs of and whereas P^^'^ denote the output of 
The random variables X, W, and Y respectively denote 4'{P^^'^), and 

4>{P^^^), where 4>, and ip are projections onto X, W, and y, respectively. With 
these notations, the respective transition matrices of and C are 




X^W 



PriviJf [w I a;] 

and [T]^^y 



rp(2) 



= ^^Y\w[y\w] , 



^^Y\x[y\x] . 



This situation is represented on Fig. 1. Note that we use a representation 
which is very similar to Wagner’s commutative diagrams [34]. Under the as- 
sumption that X ^ W ^ Y is a Markov chain (as in [34]), it can easily be 
shown that successive transition matrices are multiplicative, i.e., T = . 

Note that this situation is idealistic as, even under the classical assumption that 
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p(i) ^ p(2) ^ p(3) jg ^ Markov chain [16,32], X ^ W ^ Y may not be a 
Markov chain unless the projection are chosen with care. Nevertheless, under 
the suitable suppositions, the following lemma shows how the Piling-Up Lemma 
extends to our model. 



Lemma 17. Let , and B be the bias matrices associated with 

and T respectively, such that T = x In the case of a known- 

plaintext attack, B = B^^^ x and B = SP) x B^'^l . Therefore, 

II B III < II III II III , with equality if, and only if we can write 

and for some a e (3 € and 

7GKI^I. 

Proof. As T = x we have 



\Bl 



= \Tl 



1 

M 



E 

wew 



^(1) 



J X,W 





1 

M ■ 



As E™ = 0, we obtain [B],,y = [S(i) x 

The fact that is uniformly distributed implies that and P*'^^ are uni- 
formly distributed and thus, as (f, and if are balanced, that X, Z, and Y are 
also uniformly distributed. In that case, we know that Etucw y “ 

which proves that B = B^^'> x B^“^\ We also have 



J5(1) X B(2) 



BW 



B(2) 

J u,a L J a,v 



oew 

E ^ ^(-1) 



{x,w)G^xW 
{w' ,y)GWxy 






x^w L J w ,y 



aGW 



E[ 



^(1)1 1'_b(2) 



w,y 



= |W| ^ ^_i-^u-x(Bvy 

{x,y)eXxy wew 

= |W| ^ 

{x,y)exxy 

= |w| \b 

which proves that B = X J5(2). Finally, from Cauchy-Schwarz inequality: 



B^^'> X ||2 ^ 



i: El 

(x,y)exxy \wew 



b(y 



_B(2) 

x,w L J w,y 



B(Y 



^ E El 

{x,y)exxy \wew 

= II III II 5 ( 2 ) ||2 ^ 



E 



Kw'GW 



1 ^ 

- uj',y 
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with equality if, and only if, for all x, y G df x 3^ there exists some \x,y such that 

SO that = A,,o taking 

!3y equal to oto/Xo^y when Ao,y yf 0 and to zero otherwise leads to the announced 
result. □ 

How to find projections </>, 4! and ^ on larger spaces exhibiting such a Marko- 
vian property in a given block cipher remains however an open question to us. 
We may hope to approximate such a Markovian process. 



4 Distinguishers Versus Key Recovery 

In this section we show that our framework can adapt to key recovery instead of 
distinguishers. Let us consider a process which generates independent random 
variables . . . , Zn^K depending on some key K G {0, 1}*. We assume that 
for one unknown value K = Kq all Zink's follow distribution Dq, whereas when 
K yf Kq all Zi^x’s follow distribution Di. We consider the simple key ranking 
procedure which, for all possible K G {0, 1}^, instantiates and ranks K ac- 
cording to the grade Gk = LLR( 2 :^). For any K ^ Kq we obtain (similarly to 
what we had in Theorem 6) that is approximatively normally dis- 

tributed with expected value nZ\(Do) and standard deviation ^2nZ\(Do). Hence 
we obtain Gkq < Gk (be., a wrong key K has a better rank than the right key 
Kq) with probability approximatively d) ^JnA{£>Q) /2^ . Let d be such that 

n = d/Z\(Do). This probability becomes d> (^—^Jd/Q^j which is approximatively 
is large. So Kq gets the highest grade with probability ap- 

proximatively equal to (l — e~'^!'^ j ~ exp (—2^ • which is 

high provided that d > 4/clog2. Hence we need 

4fc log 2 

This formula is quite useful to estimate the complexity of many attacks, e.g. 
[19, 20]^. We can finally note that the expected rank of Kq (from 1 up to 2^) is 
l + (2fe-l)<I>(-y^nZ\(Do)/2). 

5 Conclusion 

Most modern block ciphers are proven to be resistant to linear cryptanalysis in 
some sense. In this paper, we wonder how this resistance extends to (both known 
and unknown) generalizations of linear cryptanalysis. For this, we define a sound 



Note that [19,20] use slightly different notations: Z\(Do) denotes the Euclidean Im- 
balance instead of the Squared Euclidean Imbalance. 
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and rigorous statistical framework which allows us to interpret most of these 
attacks in a simple and unified way; secondly, we develop a set of useful statistical 
tools to describe such attacks and to analyze their performance. Recently, our 
results on GF(2)-linear projections were exploited by [20] to obtain a small 
improvement factor in an attack on EO, and by [19] in another attack against 
two-level EO [19]. In the sequel of this paper, we observe that resistance to 
linear cryptanalysis implies (a somewhat weaker) resistance to generalizations 
based on GF {2) -linear projections; however this resistance does not extend to all 
statistical cryptanalysis, as demonstrated by our example exploiting correlations 
in Z 4 , which confirms observations of Parker and Standaert et al. [27,29]. The 
next natural step, which we hope to have rendered easier, will be to exhibit 
such a practical statistical cryptanalysis against a block cipher immune to linear 
cryptanalysis, like AES [4]. 
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A A Strange Distribution 

We consider a source generating a random variable S = (Xi, . . . , AT„+i) G 
where n is some large integer, which follows either Dg or Di (the uniform distribu- 
tion). The distribution Dg is such that the Xi,. . . AT„ are uniformly distributed 
iid random variables and Xn+i = {Y -\- mod 4, where Y G {0, 1} is 

uniformly distributed and independent of Xi, . . . , W„. We claim that the linear 
probability of the best linear distinguisher with one query is very small (equal 
to whereas it is still possible to find a projection h such that Z = h{S) 

has a high SEI. In order to simplify the proof, we will suppose that n -I- 1 is a 
multiple of 4. 

Proposition 18. Let h : Z^^^ ^ Z 2 be defined by 

h{S) = msb ((X„_|_i — X^r=i mod 4). Then the SEI of Z = h{S) is 1. 

The following lemmas will be used to prove that the best linear distinguisher 
is drastically less powerful than the distinguisher of Proposition 18. 



Lemma 19. Let u = u\U 2 ■ ■ - Un be a string of n bits. If we denote w the Ham- 
ming weight of u then we have 

E w{w — 

UjUk = 

l<j<k<n 
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Lemma 20. For any positive integer N , we have: 

/N\ 1 

(4 •) = 4 ( 2 ^ + (1 + *)^ + (1 - *)^) 
j=o ^ •''' 

[(Af^^)/4J / j\j \ 1 

(4- + J = 4 + + ’ 

0=0 ^ ^ 

where i is the imaginary unit equal to 

Proposition 21. When S follows Dq we have = 2 

Proof. Each Xi is in Z 4 so that it can be described by two bits, denoted 

If S is considered like a bit string, a linear distinguisher will be defined by a hash 

function h such that 



'n+l 

HS) = I ^a,Xf 



' n+l 



where oi, . . . , a„+i, 61 , ... , 6 „+i G {0, 1} with at least one non-zero value. We 
easily prove that 



® — j ® 1 ® j ® 1 ® j ® 

i=l \j=l / \j<k<n / \j=l 



Thus, if B denotes the value of the bit h{S), we have 



B — I © a„+i)Xj" j © j © bn^i)X^ j © On+iY 

vf=i / \f=i 



bn+i 0 xfx, 
l<j<k<n 



K+i 0 XfY 

i=i 



If bn+i = 0 we can see that (as at least one of the oi, . . . , a„+i, &i, . . . , 5„ is 
strictly positive) Pr Dq [S = 0] = |, hence LP(B) = 0. If b„ +1 = I, we have 



B — j © ttn+l)Xj 



Vf=l 



) ® ^n+lY 



© vj-x, 

, l<j<fc<n 



©V© 
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If one of the bj’s is non-zero, then B is uniformly distributed so LP(_B) = 0. 
We now assume that bj = 1 for all j = 1, . . . , n. We have 



B — j 0 1 0a„+iy 0 I ^ 1 ® j 

^i=l / \l<j<k<n J \i = l 



Let us define Uj = 0 a 0 for j G {0, . . . , n} and [/j = F 0 a for j = n 0 1, 

with a = aj . We can show that 



B=\ 0 U,Uk 

\l<j <k<n-\-l 

where c G {0, 1} is a constant. Using Lemma 19 and denoting W the Hamming 
weight of the random string of bits Ui, . . . , Un+i we obtain 



Pr [B = c] = Pr 






= Pr [W mod 4 = 0 or 1] 



n + 1 

1 ^ /n 0 1 



E 



2«+i ^ \ 4j 
3=0 ^ •' 



1 ^ / n 0 1 

2«+i 2^ I 4j + 1 

3=0 ^ 



Using Lemma 20 we deduce 

Pr I B - d - 0 (l + 0" + (l-ir _ 1 , _ 1 , (-1)'^ 

rr |j> q 2 ^ 4x2” 2 2i+> 2 ’ 



where we used the fact that n 0 1 is a multiple of 4. Finally, = 2 
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Abstract. In this paper, we introdnce a new power analysis attack 
against DES. It is based on the well known Davies-Mnrphy attack. As 
for the original attack, we take advantage of non-uniform ontput distri- 
butions for two adjacent S-boxes. We show how to detect these biased 
distributions by power analysis on any DES inner round and thus obtain 
one bit of information about the key. 

An advantage of this new attack is that no information about DES 
inputs or outputs is required. Therefore it is likely to defeat many actual 
countermeasures, in particular the popular masking techniques. 



1 Introduction 

Side-channel attacks have been developed in parallel to “classical” attack tech- 
niques since about 10 years. The initial publication by Kocher [13, 14] of Simple 
Power Analysis (SPA) and Differential Power Analysis (DPA) has been a ma- 
jor breakthrough in the domain. The general idea in this new family of attacks 
is to use “non-conventional” sources of information. Typically, the situation is 
we have a cryptographic device manipulating secret key or data which is pro- 
tected against physical intrusion (we can think of this device as a smart-card, 
for instance). Then an attacker tries to obtain these secrets by measuring some 
external elements of information about the device. A leakage can result from the 
electric consumption of the device, its electromagnetic radiations, or simply by 
timing measurements. Some related attacks are also based on analyzing faults 
during the execution of the cryptographic computations [8] . 

Side channel attacks using the electric consumption are generally called 
“Power Attacks” . It is widely believed that power consumption is always some- 
how correlated to the manipulated data. The question is thus to find appropriate 
countermeasures in order to thwart all known attacks. Power Attacks have been 
developed without distinction to secret and public key primitives. However in this 
paper, we mostly focus on the analysis of block ciphers. In this particular con- 
text, the most popular family of attacks are DPA [14] and its extended version, 
Higher-Order DPA [17,21]. Advanced attacks usually revisit some techniques of 
“classical” cryptanalysis, like collision attacks [20] or differential attacks [15]. 

The goal of this paper is to propose a new power attack. We revisit the well- 
known Davies-Murphy cryptanalysis of DES [5, 11] and transform it into a power 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 451-467, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 




452 S. Kunz-Jacques, F. Muller, and F. Valette 



analysis attack. The “classical” attack uses non-uniform output distributions for 
each pair of adjacent S-boxes in DES. This property results from the duplication 
of some state bits by the expansion function. Non-uniform distributions result in 
detectable imbalance in electric consumption, and we propose several techniques 
to detect and exploit this imbalance. We call our new attack the Davies-Murphy 
Power Attack (DMPA). 

First we discuss the model used to describe the correlation between interme- 
diate data and power consumption. Then we recall the principles of DES, the 
Davies-Murphy attack and investigate some additional properties. In Section 5, 
the general principle of DMPA is exposed and we propose some tricks to apply 
it to various scenarios and different kinds of implementation. The final sections 
are dedicated to discussing the advantages and the extensions of DMPA. 



2 The Power Consumption Model 

In power analysis attacks, the basic assumption is that power consumption is 
somehow correlated with some data handled during the execution of an instruc- 
tion. A classical assumption is the Hamming weight model [1,9] where we 
suppose that the power consumption is proportional to the hamming weight of 
the manipulated data D. Let W be the power consumption and H the hamming 
weight function. We suppose that 

IT = A H{D ®R) + e 

where 0 is a term of noise, A a scalar and R a reference state from which we 
measure the number of bits flipped. For instance, R is often seen as a constant, 
unknown machine word (but R is not necessarily zero) . The underlying assump- 
tion for electric consumption is that flipping a bit from 0 to 1 or flipping it from 
1 to 0 costs almost the same thing, while keeping a bit unchanged costs almost 
nothing. 

Many papers on side channel attacks [7, 10, 14, 18] observed empirically this 
correlation between the consumption of a smart card and the hamming weight 
of the operands. This model has also been verified more formally (see [9] for 
instance) . Although a finer analysis has revealed that an extended linear model 
was sometimes more appropriate [1] , it is still widely believed in practice that the 
Hamming weight model is a reasonable approximation. Actually it seems partic- 
ularly well suited to model circuits based on the widely used CMOS technology, 
while it may be less appropriate for other technologies. 

In the following, we suppose that the Hamming weight model is verified. We 
stress out that this model is not specifically helpful for our attack. We choose it 
because it is frequently used in the literature, and from our experience of cryp- 
tographic hardware, we believe it is very often appropriate. However our attack 
could probably be adapted to another model, as long as an actual correlation 
exists between W and D. 

It is classically known that implementations can be subject to power analysis 
attacks when one of the following condition holds : 
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~ the intermediate data D depends only on the plaintext and a small portion of 
key bits. This is the fundamental hypothesis for Differential Power Analysis 
(DPA). 

— a simple function of several intermediate data D\, . . . , Dt depends only on the 
plaintext and a small portion of key bits. This is the fundamental hypothesis 
for Higher-Order Differential Power Analysis (HO-DPAff . 

Then an attacker would use the correlation between intermediate data and 
power consumption to detect a correct guess of the key bits. Recent implemen- 
tations take into account this threat by protecting all inner instructions. For 
instance a popular family of countermeasures consists in masking the manip- 
ulated data [2-4]. The underlying idea is that intermediate values should look 
random, even when the plaintext is known. However, most countermeasures do 
not take into account the fact that intermediate data may be biased indepen- 
dently of the plaintext. In the case of DES, this is actually the case because 
of Davies’ observation about pairs of adjacent S-boxes [11]. In the next section, 
we focus on DES and recall the well-known Davies-Murphy attack. 



3 DES and the Davies-Murphy Attack 

The Data Encryption Standard (DES) is one of the most popular block cipher. 
Since it was selected as a standard by the NBS in 1977 [19], it has been the 
target of many research on cryptanalysis. Among all the results against DES, 
three attacks have emerged : 

— Differential Cryptanalysis (DC) [6] was proposed by Biham and Shamir in 
1990. It has been a major breakthrough and many applications to other 
algorithms have been demonstrated thereafter. Since then, it was revealed 
that the principle of DC was already known by the designers of DES. 

— Linear Cryptanalysis (LC) [16] was proposed by Matsui in 1993. Like DC, 
it became quickly very popular and was applied successfully to other algo- 
rithms. In addition, this attack was practically implemented by Matsui in 
the case of DES. This technique was presumably not known by the designers 
of DES. 

— The Davies-Murphy Cryptanalysis [5, 11] is a dedicated attack against DES. 
It takes advantage of biased distributions for two adjacent S-boxes. Although 
less generic than the previous two, Davies-Murphy cryptanalysis is a concern 
for Feistel ciphers with a non-bijective round function. 

First we remind the general structure of DES (see Figure 1). We call F the 
round function, iterated 16 times in this case. 

F is represented in more details in Figure 2. The general idea of Davies- 
Murphy attack is to look at two adjacent S-boxes (say and S' 2 ). Because of 
the expansion phase, two bits of the input have been duplicated and are shared 
by the inputs of and S' 2 . These two bits are the two rightmost bits of Si and 



^ Here it is t-th order DPA, since t intermediate data are considered. 
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Fig. 1. The general strncture of DES 



the two leftmost bits of S'2 . Consequently the output distributions for 5*1 and for 
S2 are not independent. A precise analysis shows that the joint distribution is 
not uniform. Moreover, depending on one key bit^, two distributions (both non 
uniform) can be observed. Theoretically this allows an attacker to learn the sum 
of the 4 key bits corresponding to the shared positions in and S'2 (see [5, 11]). 




Fig. 2. The round function of DES 



To give an illustration of the Davies-Murphy biased distributions, we focus 
on the S-boxes Si and 82- We denote by (fci, /c2, fca, k^) the 4 subkey bits corre- 
sponding to the “shared” positions of Si and S2, and we call k = fci0/c2®^3® ^4 
the sum of these 4 bits. In Table 1 we represent the output distributions for both 
cases k = 0 and k = 1. yi and y2 represent respectively the outputs of Si and 
82- These distributions were simply obtained by looping on all possible inputs 
of Si and 82- 

This kind of imbalance was initially observed by Davies [11]. At first, it was 
thought that the attack could not be extended to the full DES. Indeed the pre- 
vious observation extends to 16 rounds by composing 8 times the distributions. 



^ Actually, it is one linear combination of key bits. 
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Table 1. Biased Distributions for and S 2 (all elements in the table should be divided 
by 2i°) 
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Case fe = 1 



The XOR of plaintext and ciphertext is therefore non uniform and it turns out 
things depend only on one combination of key bits. Unfortunately the resulting 
imbalance is too small to be detected. Later on, Biham and Biryukov demon- 
strated how to improve this attack to obtain an attack faster than exhaustive 
search for the full DES [5]. In this paper we focus on Davies-Murphy’s biased 
distributions for just one round. 



4 Extension of Davies-Murphy to the Hamming Weight 

The key observation of Davies-Murphy attack is that, for any DES inner round, 
intermediate data are not distributed uniformly, for randomly-chosen inputs. 
However in a power attack we do not have access directly to the intermediate 
data but to the power consumption (which is hopefully correlated to the data). 
Since we assume the Hamming weight model, this correlation depends on the 
Hamming weight of the S-box output. Hence it is natural to consider how the 
Davies-Murphy property translates to the Hamming weight. 

As a first example, we consider the S-boxes S*! and S 2 and look at the joint 
distribution of (ft. 1 ,/ 12 ) = (H(S'i(xi)), H(S' 2 (x 2 ))) where X\ and are uniformly 
chosen. The resulting distribution is given in Table 2. 

Four values are biased in Table 2 (the corresponding positions are / 12 ) = 
(0,2), (4,2), (0,3) and (4,3)). Hence the imbalance exists but is not huge. Still, 
we hope to make it exploitable but we need to introduce appropriate statistical 
tools. 

Definition 1. Let T>i, T >2 be two distributions over some finite domain X. The 
statistical distance between T>i and T >2 is defined as 

\V,-V2\=Y. \V,{x)-V2{x)\ 

XGX 
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Table 2. Distributions of output hamming weight for and S 2 (all elements in the 
table should be divided by 2^°) 
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Case k = 1 


hi 

h2 


0 


1 


2 


3 


4 


hi 

h2 


0 


1 


2 


3 


4 


hi 

h2 


0 


1 


2 


3 


4 


0 


4 


16 


24 


16 


4 


0 


4 


16 


24 


16 


4 


0 


4 


16 


24 


16 


4 


1 


16 


64 


96 


64 


16 


1 


16 


64 


96 


64 


16 


1 


16 


64 


96 


64 


16 


2 


24 


96 


144 


96 


24 


2 


26 


96 


144 


96 


22 


2 


22 


96 


144 


96 


26 


3 


16 


64 


96 


64 


16 


3 


14 


64 


96 


64 


18 


3 


18 


64 


96 


64 


14 


4 


4 


16 


24 


16 


4 


4 


4 


16 


24 


16 


4 


4 


4 


16 


24 


16 


4 



Using this definition, we can compute the statistical distance between the 
previous distributions. Let U be the distribution of hamming weight for uni- 
formly chosen inputs. T>i denotes the distribution in the case k = i. For S-boxes 
Si and 5*2, we can easily compute : 



Po-Ul 



iVi-U] 

I'Di-Vol 



1 

1 

1 

64 



The imbalance for S-boxes Si and S 2 is not the best we can obtain. We 
repeated the same experience with different pairs of S-box and obtained better 
results. This is summarized in Table 3. 

When using random inputs, all pairs of adjacent S-boxes present an imbalance 
regarding the output hamming weight. The best ones are obtained for {S 2 ,S 3 }, 
{St,Ss) and (Ss,Si). One can also notice that 



Table 3. Statistical distance between distributions U, Vo and Vi 
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Si 
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16 
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|I?o-W| = |2?i-W| = 0.5x 

always holds due to the symmetry property : 

T>q{x) + T>i{x) = 2 • U{x) 

Therefore we have exhibited a Hamming weight version of the Davies-Murphy 
imbalance on DES, and we are confident that the electric consumption for adja- 
cent S-boxes is biased, even for randomly- chosen plaintexts. 



5 The Davies-Murphy Power Attack 

In this section, we want to turn the imbalance of Hamming weight into a pow- 
erful side channel attack against DES. First, we need to specify which specific 
assumptions we make about the power consumption of the cryptographic device. 



5.1 Assumptions 

As mentioned previously, our general assumption is the Hamming weight model. 
However, before describing an attack, we need to precise more specifically this 
model. 

A first and crucial question is to determine what the reference state R cor- 
responds to in practice. In [9], some experiments were conducted on different 
hardwares to answer this question. Depending on the chips, different results 
were obtained. In many cases, R corresponded to the address of the input value 
or to the opcode of the current instruction. For other chips, R was always 0, pre- 
sumably because these chips clear the bus between each instruction. Overall it is 
reasonable to consider that each instruction corresponds to a unique constant R. 

More formally, we make the assumption that there is a constant R^, inde- 
pendent of the round, such that the electric consumption Wi of S-box 
5* is 

Wi = AH(yieR^) + 0 

with the same notations than in Section 3. 

Moreover, we suppose that all S-box computations are done separately, 
hence we can observe any Wi separately by looking at an appropriate portion of 
the power consumption curves. This assumption is reasonable, but may be sub- 
ject to discussions, depending on the implementation. Indeed some computations 
might be done in parallel (for instance, on a 8-bit architecture, it is likely that 
pairs of adjacent S-boxes are executed simultaneously, thus we could observe 
only W 2 i + W 2 i-i). 

We further explore these different scenarios in Section 6. Here, we explore 
only the case where all S-boxes are computed sequentially. This is convenient to 
describe a basic attack. 
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5.2 The Principle of the Attack 

We have already seen that {H{yi),H{yi+i)) is biased a priori for random plain- 
text, depending just on one key bit k. Actually what we observe also depends 
on the unknown constants and on the noisy term 9. The general idea 

of the attack is decomposed in 3 steps: 

— First, we observe that the distribution of {H {yi (B Ri) , H {yi+i 0 Ri+i)) is, in 
general, still biased for most constants Ri,Ri+i. 

~ Secondly, we build an empirical distribution of {H{yi 0 Ri),H{yi+i 0 Ri +i)) 
by encrypting a set of randomly chosen plaintexts. Hence we need to iden- 
tify the portion of curves corresponding to Wi and Wj+i, then to counter 
the influence of the noisy term. The resulting empirical distribution is then 
matched with theoretical results. 

— Finally, a good method to perform this matching is proposed. Our strategy 
is to compare distributions for two different inner rounds (not necessarily 
consecutive) . 

1 - Adding the Constants in the Distributions. To analyze the influence 
of constants Ri, we simply explored all possible cases. Hence we have looked at 
distributions {H{yi 0 Ri),H{yij^i 0 i?i+i)) for various pairs of S-boxes, with all 
possible constants These results are summarized in Table 4. As be- 

fore, distribution T>i corresponds to the case k = i. Besides the column “constant 
= 0” corresponds to the previous results (see Table 3). 



Table 4. Statistical distances with constant RBs 



S-boxes 


Statistical Distance |Di — Dq| 




constant = 0 


worst constant 


best constant 


average value 


(S1.S2) 


1 

64 


0 


5 

32 


1.5 

32 


(S2.S3) 


3 

32 


3 

32 


7 

32 


3.656 

32 


(S3.S4) 


1 

128 


0 


9 

128 


0.473 

32 


(S4.S5) 


1 

64 


0 


9 

64 


0.984 

32 


(Ss.Se) 


1 

64 


1 

64 


3 

32 


1.195 

32 


(S6.S7) 


3 

64 


1 

64 


9 

128 


1.262 

32 


(St.Ss) 


1 

16 


1 

16 


25 

128 


3.094 

32 


(Ss.Si) 


1 

16 


1 

128 


3 

32 


0.711 

32 



Clearly, we observe that the average distance is quite significant for all pairs 
(it ranges from ~ A Ihge ~ |). We also observe that there are “good” 
and “bad” constants, but in average an imbalance is expected. 



2 - Getting Rid of the Noise. In the second phase, our goal is to build 
empirical distributions. More precisely, we encrypt a set of M randomly chosen 
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plaintexts and we monitor the electric consumption. We target the appropriate 
portion of the curves to observe (Wj, Wi+i). Our goal is, from these observations, 
to decide the underlying value of for each sample, 

despite the noise. Hence we obtain an empirical distribution over M samples. It 
is well known that when M grows, the empirical distribution converges to the 
theoretical distribution. More precisely, to get rid of the noise, two situations 
must be distinguished : 

1. Suppose we can repeat each experiments. Typically, we can obtain twice 
from the cryptographic device the same encryption and the same execution. 
This assumption is commonly used in power analysis attacks. In this case the 
noise is eliminated by multiplying the samples for each trace and computing 
the average consumption. 

2. Suppose we cannot repeat any experiments. Typically, any encryption corre- 
sponds to a random plaintext. This can result from masking countermeasures 
(with a fresh mask for each block !) or from a randomized mode of operation 
(CBC plus IV for instance). 

In the first hypothesis, there is just an extra workload per message to make 
the noise arbitrarily small. Typically, if we have a Gaussian noise with expected 
value 0 and standard deviation a, we expect to reduce the standard deviation by 
a factor '/M if we repeat M times each experiment. Therefore, since our model is: 



W^ = \V^{y,(BR^) + e 

we consider the noise is sufficiently small when A ;g> be. the noise is negli- 
gible compared to the data-dependent term. 

In the second hypothesis, we cannot eliminate the noise by averaging methods. 
However we hope that it will only slightly perturb our empirical distributions. 
Hence we suppose A 3> cr, so when making a decision for each hamming weight, 
we have a small probability p of making a mistake. Our practical experiments on 
a smart card confirmed this supposition (see Section 6). A justification is that the 
data-dependent terms represent the consumption of bus lines which is generally 
dominant in a chip. More precisely, our decisions are made using thresholds: 

H(yi ®Ri) = t 

For example if ^ is in the range [2.5 - 3.5], we decide H(j/j © Ri) = 3. 
If the noise is indeed negligible, we are successful in predicting the hamming 
weight with overwhelming probability. This threshold strategy is summarized in 
Figure 3 and further analyzed in Appendix A. Of course, in practice, A is not 
known but we can set up thresholds experimentally to fit to the observations. We 
stress out that this analysis requires a good knowledge of the electric behavior 
of the chip. 

3 - Comparing Two Inner Rounds. After the step 2, we construct an empir- 
ical distribution of hamming weight from power consumption curves. We know 
this is biased depending on one round key bit k. However since the key is fixed. 
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Fig. 3. Threshold rules of decision when observing ^ 



we have nothing to compare it with. Besides it is impossible to tell the value of k 
just by looking at the distribution, because it highly depends on the unknown Ri. 

However an attack is still possible by looking at two different inner 
rounds of DES (not necessarily consecutive rounds). For instance, suppose 
we encrypt random plaintexts and compare the consumptions of round 1 and 
2 for the adjacent S-boxes (5'2,S'3). At round 1 we observe {W 2 ^W^), which is 
distributed differently depending on whether some first round key bit fc is 0 or 
1. These distributions are respectively called T>i and 2?o- A similar observation 
holds for round 2 with a second round key bit k' . Thus 

— li k = k' = i, 'we have distributions T>i for both rounds. 

— If fc yf k' , we have distributions for one round and T>i for the other. 



T>i and T>q depend on the constants Ri, but we have seen that, in average 



\Vi-Vo\ 



3.656 

32 



0.114 



and even in the worst case, this value is So, in theory, if the number of 
samples M is sufficient (typically M > — 100), we should be able to tell if 

k = k' or k ^ k' and thus learn one bit of information about the key. In practice, 
we retrieve two empirical distributions and We must decide whether these 
distributions are the same (fc = k') or if they are different {k yf k'). Because of 
the symmetry property exhibited in Section 4, we use the following indicator : 



/ = ^(£°(x) —U{x)) X {S^{x) —U{x)) 

X 



Basically, we have normalized the empirical distributions by subtracting the 
U distribution, and then we compute a scalar product, li k = k' = i, then this 
indicator is positive : 



h=k' =Y.iV,{x) -U{x)f 

X 



Otherwise, if A: ^ k\ then the indicator should be negative 






'^{Vq{x) -U{x)) X {Vi{x) - U{x)) 

X 

X 

-Y,{'Di{x)-U{x)f 

X 
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because of the symmetry property described in Section 4. Therefore 

Ik=k' = —Ik^k' 

and these values are sufficiently large to be detected in practice. 

5.3 Simulations 

We ran some simulations of the previous distinguisher to evaluate our ability 
to predict correctly whether k = k' , and we obtained the results summarized 
in Table 5. Four intensity of noise where considered (see Appendix A for the 
role of the probability p) as well as several values for the number of samples M. 
We repeated the attack about 1000 times in each case, with a random choice of 
constants Ri. 



Table 5. Simulation results 

Probability of success in Deciding if k — k' 



p ^ 


0 


0.1 


0.25 


M ^ 


256 


4000 


40000 


256 


4000 


40000 


256 


4000 


100000 


(S1.S2) 


0.5 


0.65 


0.98 


0.5 


0.59 


0.90 


0.5 


0.51 


0.69 


(•S2.S3) 


0.67 


0.99 


1 


0.58 


0.96 


1 


0.52 


0.61 


0.99 


{S3, Si) 


0.5 


0.54 


0.83 


0.5 


0.54 


0.72 


0.5 


0.5 


0.54 


(S4.S5) 


0.5 


0.59 


0.94 


0.5 


0.56 


0.80 


0.5 


0.51 


0.59 


(Ss.Se) 


0.5 


0.59 


0.93 


0.5 


0.56 


0.81 


0.5 


0.51 


0.63 


(S6.S7) 


0.51 


0.61 


0.96 


0.5 


0.57 


0.84 


0.5 


0.51 


0.65 


(S7.S8) 


0.70 


0.99 


1 


0.58 


0.95 


1 


0.51 


0.59 


0.99 


(Ss.Si) 


0.5 


0.57 


0.91 


0.5 


0.56 


0.77 


0.5 


0.51 


0.58 



It appears from Table 5 that the best pairs of S-boxes are { 82 , 83 ) and 
{ 8 t, 8 s), as predicted in Section 5.2. Hence, for our basic attack we will use 
any of these two pairs. For the variation attack with an 8-bit architecture, we 
can only use pairs with index of the form {2i, 2i—l). Fortunately we can use the 
pair (7, 8) here, which is strongly biased. 



6 Some Variations of the Attack 

In the previous section, we considered a simple hypothesis where all S-boxes 
were computed separately. Therefore we could identify portions of the power 
consumption curves corresponding to each S-box. In practice, the implementa- 
tions are often more complex and we need to investigate if our attack applies to 
other situations 
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6.1 A Real-Life Situation : 8-Bit Architecture 

As an example of our attack, we have considered a recent smart-card running 
a software DES implementation. The card also featured some usual hardware 
countermeasure (but no software countermeasure like masking). These counter- 
measures included a variable internal clock and some random peaks of power. 
Despite these protections, we managed to identify the power consumption cor- 
responding to each portion of the DES execution. This analysis required first 
to understand well the behavior of the card. The trickiest part was to eliminate 
the random peaks of power but it turned out they were not “that” random and 
their presence was strongly correlated with the external clock. 

In addition, we realized that two S-boxes are executed simultaneously by the 
card, i.e. each pair of adjacent S-boxes {Si and S 2 , S 3 and S'4, etc ...). Therefore, 
the power consumption observed is W 2 i + W 2 i-i for t = 1 . . . 4. It is strongly 
correlated with the sum of the hamming weights: 

© R2i) + ® ^2i-l) 

= H((2/2i © R2i)\\{{U2i-l © R2i-l))) 

Accordingly, we expect to observe 9 groups of curves locally, if we have many 
samples (corresponding to hamming weight ranging from 0 to 8). In fact, due 
to the noise influence, it is difficult to make the groups appear very distinctly, 
but if we display a few curves (see Figure 4), a clear distinction starts to ap- 
pear depending on the hamming weight. Low hamming weight correspond to low 
consumption (few bits are flipped from the reference states), while high ham- 
ming weights curves are located at the top of this Figure. In addition, these 
experiments illustrate the fact that some noise 0 is indeed present, but it is rel- 
atively small compared to the data-dependent term, since the Hamming weight 
distinction appears clearly. 

In this scenario, we can only observe the sum of power consumption for cer- 
tain pairs of S-boxes. We computed theoretically the expected imbalance for 
these pairs (see Table 6). Here the distributions considered are over the sum 
of hamming weights hi + /12 and not the joint distribution (/ii,ft.2) as previ- 
ously. 

Hence, the statistical distances are still relatively high for the four pairs of 
S-boxes. To perform the Davies-Murphy power attack here, we can use again the 
trick of comparing two different inner rounds, like in Section 5.2. 

6.2 Case When More S-Boxes are Computed Simultaneously 

When considering software implementations of DES, we believe the most com- 
mon situation are those where 1 or 2 S-boxes at most are computed simulta- 
neously. This was developed in Section 5 and Section 6.1. To our knowledge, 
no software implementation presents a higher degree of parallelization than 
that. 

However, when turning to DES hardware implementations, more than two 
S-boxes are often computed at the same time. Things are thus more complex 
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Fig. 4. Distinction of Curves According to the Hamming Weight 
Table 6. Statistical distances in the 8-bit scenario 



S-boxes 


Statistical Distance \T>i — T>o\ 




constant = 0 


worst constant 


best constant 


average value 


(S'i,S2) 


1 

64 


0 


1 

8 


1.097 

32 


(S'3,S4) 


1 

128 


0 


3 

64 


0.406 

32 


{Ss,Se) 


1 

64 


1 

64 


21 

256 


1.076 

32 


(S'7,Ss) 


1 

16 


1 

16 


39 

256 


2.627 

32 



because we observe many biased distributions simultaneously, and this depends 
on many key bits. We are currently investigating some refined version of our 
attack in this case. We believe an attack can be achieved since the imbalance is 
detectable in theory, but it will probably not be very efficient. 



7 Impact on DES Implementations 

Modern countermeasures against Side Channel Attacks are often focused against 
DPA. Accordingly they try to make intermediate data handled during the block 
cipher computation as random and unpredictable as possible. Two main tech- 
niques have receive a huge interest in recent years 

— Masking Techniques [2-4] where the idea is to ensure that critical intermedi- 
ate data are equal to the “true” data XOR some random mask. Masking the 
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round input has clearly no effect, since we process randomly-chosen data. 
However masking the output is problematic since the Davies imbalance now 
depends on the mask. But, for consistency, masking countermeasures gen- 
erally require some unmasked round output (see [4]). This was not believed 
to be critical because the goal was to thwart DPA and HO-DPA. However 
DMPA will still work here, except we need to choose two inner rounds with 
unmasked output. 

If all round outputs were masked with the same value, an higher-order 
version of DMPA could be envisaged^. So the best protection consists in 
masking all round outputs with a distinct value. But this is probably too 
expensive in practice (actual countermeasures use one or two masking values 
at most). 

— Duplication Techniques [12] where all intermediate data are split into two 
parts, using the secret sharing principle. However, by analyzing simulta- 
neously the behavior of both parts, the Davies imbalance should still be 
observed. Since everything is duplicated, the analysis is probably more com- 
plicated because 4 S-boxes need to be considered instead of just 2. 

Therefore the Davies-Murphy Power Attack (DMPA) is likely to defeat most 
“software” countermeasures. In fact, this new attack is not fundamentally dif- 
ferent from classical DPA : both gather power traces and sort them according to 
some intermediate data, the goal being to verify a guess on a few key bits. How- 
ever, while DPA focuses on predicting some data from the plaintext and a few 
key bits, DMPA does not require the knowledge of the plaintext. The analysis 
is based only on the internal structure of DES and we can predict intermediate 
data (actually a bias on intermediate data), only from a few key bits. The ad- 
vantage is that we can focus our analysis on any inner round, while DPA usually 
focuses on the first (or last) rounds of DES. 

An other advantage is that countermeasures designed specifically to thw art 
the family of DPA attack (like masking, duplication, or others ...) are unlikely to 
be very efficient as a protection against DMPA. The main drawback of the attack 
is that it is rather expensive in terms of messages encrypted. Moreover it requires 
a fine analysis of the electric behavior of the target cryptographic hardware, in 
order to find an appropriate power consumption model and to identify each 
portion of the DES execution. So there is a lot of preliminary analysis to do 
before applying the attack. 

Finally DMPA proves that even slight weakness or small “non-random” be- 
havior of a cipher can be exploited to mount a side channel attack. Software 
countermeasures are helpful to complicate the task of the attacker, but a better 
protection against power attacks will be obtained if 

— the cipher behaves as randomly as possible. 

— efficient hardware countermeasures are implemented, to limit the information 
leaked in the electric consumption. 



® Actually the trick from Section 5.2 of using power traces of any two inner rounds is 
already, by definition, a second-order attack. 
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8 Extensions 

All our analysis has focused on the case of DES. Indeed the principle of Davies- 
Murphy attack was initially developed specifically against DES. However, more 
generally, for any Feistel cipher with a non-bijective round function, some im- 
balance in the round output necessarily exists. In this case, the requirements for 
DMPA are 

— Express the output imbalance with a small number of key bits. 

— Find a correlation between the non-randomly distributed data and the elec- 
tric consumption 

The first requirement depends on the cipher, while the second depends on 
the cryptographic hardware considered. We did not explore further to find ap- 
plications on other algorithms but we believe it is an interesting topic for further 
research. 



9 Conclusion 

We have proposed a new side channel attack against DES, the Davies-Murphy 
Power Attack. It is based on the well known Davies-Murphy attack. Like its 
predecessor, our attack uses non-uniform output distributions of adjacent S- 
boxes. Then we detect this imbalance using electric consumption curves. 

DMPA is very powerful, because it requires no information about the plain- 
text and can be performed on any inner rounds of DES. Therefore we believe 
it can defeat software countermeasures, which do not take into account this 
type of threat. However DMPA is rather expensive : good knowledge of the de- 
vice behavior regarding power consumption is required, and the data processing 
complexity is rather high. For a non-protected implementation of DES, simpler 
side-channel attacks (like DPA) should be preferred. 
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A Statistical Influence of the Noise 

In Section 5, we are interested in distinguishing two distributions, 2?o Etnd Vi. 
Our analysis of DES revealed that the statistical distance d = \T>q — T>i\ was 
sufficiently large to distinguish between these two distributions. But in practice 
we need to build an empirical observation of these distributions in the presence of 
noise. As we argued, this noise is generally small, but still it may result in errors 
of prediction in the threshold technique of Figure 3. There is a small probability 
p that the noise is larger than 0.5 A and thus we predict h+1 or h—l instead of 
the “true” h. We call T>[ the new distribution obtained when the noise is taken 
into account. We have : 

V[{h) = p V,{h -l)+p V,{h + 1) + (1 - 2p) V,{h) 



Thus 



A{h) = V[{h) - V,{h) = p ■ [V,{h - 1) + V,{h + 1) - 2 V,{h)] 

A{h) is the difference of probability of deciding h, resulting from the noise in- 
fluence. We see that if p <C 1, then A{h) <C 1 for all h G {0, ... ,4}. Therefore 

h 

for i = 0,1. Hence, it is still possible to make the difference between the two 
distributions since 

\V[ - P' I < \V[ -v,\ + \v,~ Vo\ + IP' - Pol 
< |Pi — Pol + 2 e 

Therefore as long as the noise results in small probabilities of incorrect deci- 
sions, we can still apply the same methods. 
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Abstract. T-functions are a new class of primitives which have recently 
been introduced by Klimov and Shamir. The several concrete proposals 
by the authors have multiplication and squaring as core nonlinear op- 
erations. Firstly, we present time-memory trade-off algorithms to solve 
the problems related to multiplication and squaring. Secondly, we apply 
these algorithms to two of the proposals of multi-word T-functions. For 
the proposal based on multiplication we can recover the 128 unknown bits 
of the state vector in 2^° time whereas for the proposal based on squaring 
the 128 unknown bits can be recovered in 2^^ time. The required amount 
of key stream is a few (less than five) 128-bit blocks. Experimental data 
from implementation suggests that our attacks work well in practice and 
hence such proposals are not secure enough for stand-alone usage. Fi- 
nally, we suggest the use of conjugate permutations to possibly improve 
the security of T-functions while retaining some attractive theoretical 
properties. 



Keywords: stream cipher, T-functions, multiplication, cryptanalysis, 
time-memory trade-off. 



1 Introduction 

Stream ciphers are a fundamental primitive in cryptography. Encryption is per- 
formed by XORing the message bit sequence with a pseudo-random bit sequence 
while decryption is performed by XORing the cipher bit sequence once more with 
the same pseudo-random bit sequence. 

The cryptographic strength of a stream cipher depends on the unpredictabil- 
ity of the pseudo-random bit sequence. The other important issue is efficiency of 
the pseudo-random generator. Most practical proposals for stream ciphers strive 
to achieve a good balance between speed and security. Typically stream ciphers 
are built out of linear feedback shift registers, nonlinear Boolean functions and 
S-boxes. See [4] for various models of stream ciphers. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 468-482, 2004. 
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Recently Klimov and Shamir [1-3] have proposed a new class of primitives for de- 
sign of stream ciphers. They call their primitive T-functions and have developed a 
nice theory for analysing T-functions. From an efficiency point of view, T-functions 
are extremely attractive, since they can be built using fast and easily available opera- 
tions on most processors. From a security point of view, there are many nice features 
including the single cycle property of the underlying permutation. 

Klimov and Shamir [3] have also introduced multi-word T-functions and have 
extended their theory to cover such functions. In [3], they present several concrete 
constructions of multi-word T-functions. A key constituent of their proposals is 
multiplication modulo 2®^. 

Our Contributions: In the first part of the paper, we study the following 
problem related to multiplication. Suppose x, y and z are n-bit integers satisfying 
xy mod 2” = z. Further, suppose the m most significant bits of x,y and z are 
known. The problem is to compute all possible combinations of the (n — m) least 
significant bits of x and y such that the multiplication holds. 

We present a time-memory trade-off algorithm to solve this problem and make 
a detailed study of the effectiveness of the algorithm under different scenarios. 
We also study the related problem of squaring, i.e., when x = y. It turns out 
that the algorithm for multiplication is not efficient for squaring and hence we 
develop a separate algorithm to solve this problem. Apart from the application 
to T-functions, our algorithm can possibly be used for analysing other ciphers 
based on multiplication. 

The second part of the paper consists of analysing the security of two concrete 
proposals of multi-word T-functions from [3] . The first proposal involves multi- 
plication and the T-function operates on a state vector consisting of four 64-bit 
words. The pseudo-random bit sequence obtained from the state vector consists 
of the 32 most significant bits of each of the four 64-bit words. Thus the state 
vector has 128 unknown bits. We perform a detailed analysis of this T-function. 
The major step in the analysis consists of an application of (a modification) of 
the algorithm to solve multiplication as mentioned above. The final result that 
we obtain is that the 128 unknown bits can be computed in 2"^° time which 
makes this proposal unsafe for stand-alone use as a pseudo-random generator. 

The second proposal that we consider also operates on a state vector of 
four 64-bit words and produces 128 bits as before. The difference is that this 
proposal involves squaring instead of multiplication. Consequently, our analysis 
of this proposal involves the algorithm to solve squaring. In this case, we obtain 
an algorithm that determines the 128 unknown bits in 2^^ time. Hence this 
proposal is much more insecure than the one based on multiplication. 

The required amount of known pseudo-random key stream for both the above 
attacks is only a few (less than five) 128-bit consecutive key stream blocks. In 
most cases, we expect the attack to work with only three 128-bit consecutive key 
stream blocks. This shows that these two proposals, and probably other similar 
proposals, are not secure enough for stand-alone usage. 

One possibility for improving the security is to extract less number of bits 
from each state vector. We consider this possibility for the multiplication based 
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T~function mentioned above, where only 16 most significant bits of each 64- 
bit word of the state vector is produced as output. Thus a total of 64 bits are 
produced from each state vector and 192 bits are unknown. Our attack also 
applies to this situation and the 192 unknown bits can be obtained in 2^^^ time. 
Though infeasible in practice, this constitutes a theoretical attack on the system. 

We have implemented the algorithm to solve multiplication and our esti- 
mate of the expected run-time is supported by experimental data. We have also 
implemented the attack on a scaled down version of the multiplication based 
T-function. Instead of a state vector consisting of four 64-bit words we have 
worked with four 32-bit words. In this case, we can actually recover the 64 un- 
known bits of the state vector. This shows that our attack works quite well in 
practice. We have also implemented the algorithm to solve the squaring prob- 
lem and the corresponding attack on the 64-bit version of the squaring based 
T-function proposal. Experiments show that the attack performs as predicted 
by the theoretical analysis. 

Finally, we suggest a method based on conjugate permutations to possibly 
improve the security of T-functions while maintaining some desirable features 
such as the single cycle property. 



2 Multiplication 



We consider the following problem. Suppose two n-bit integers x and y are 
multiplied modulo 2" to obtain an n-bit integer z. The m most significant bits 
(MSBs) of x, y and z are known and we have to find all possible solutions for 
the (n — m) least significant bits (LSBs) of x and y such that xy mod 2” = z. 
This problem can be stated more precisely as follows: 



Problem: Mult 

Input: Three integers x^^\ y^^'^ and such that, 0 < y^^\ < 2™. 

Task: Find all pairs of integers such that, 0 < < 2"“™, 

X = -|- x^^\ y = -|- y^^'' and 



xy mod 2" 




xy 


2^ — 771 




2^ — 771 



mod 2”" = z(i). 



( 1 ) 



Note that the operation x mod 2* returns the t LSBs of x and the operation 
[a;/2*J returns x ^ t, i.e. the binary representation of x right shifted t times. The 
number of unknown bits in the pair (x^^\y^^^) is 2(n — m) and the m known 
bits on the right hand side of (1) imposes m restrictions on these unknowns. 
Hence, on an average, one should expect = 2^”“^'" distinct pairs of 

(x^^\y(^^) to be solutions to Mult. See Section 5 for an emperical justification 
of this statement. 

We first consider the naive approaches to solve Mult. There are (2n — 2m) 
unknown bits and one approach is to try all possible combinations of these un- 
known bits. This approach requires 2^"“^™ time. The second naive approach 
using an offline table computation can be described as follows. For each pos- 
sible pair of n-bit integers (x,y) compute the product z = xy mod 2". Store 
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in Tab[a:^^\ the set of all pairs which are solutions to Mult 

for the instance This table takes 2^" time to prepare and store. 

The preparation of the table can be done offline. Given a particular instance 
x^^\ y^^'> , of Mult the solutions can be directly obtained from the entries of 
the row Jdib[x^^\y^^\ z^^'>]. Since, on an average, there are solutions, at 

least this amount of online time will be required in producing the solutions. 

Thus the online time will be at least (requiring 2^" precomputation 

time and a table of size 2^") and at most 2^"“^™ (using exhaustive online search 
but without using any look-up table). We describe solutions to Mult whose online 
time complexity is between the two extreme values and which uses a table of 
moderate size. Thus our algorithms can be considered to be time-memory trade- 
off algorithms. 

To improve readability, we will use the same notation for an integer and its 
binary representation. Also the length of a binary string will be denoted by |.|. 
Thus a binary string x of length \x\ = k denotes an integer xG{0,...,2^ — 1}. 
For two binary strings x\ and x^, by {x 2 ,xi) we denote the binary string x 
obtained by concatenating X 2 and x\. Using the integer representation of X\,X 2 
and X we have x = 2^^^^X2 + Xi. 

Using this notation, we write x = -|- x'^^\ y = j/(i)2"“’" -|- y^'^^ and 

z = -I- z^°\ where |a;| = \y\ = \z\ = n, = |z^^)| = m and 

= n — m. We now introduce parameters no,ni and U2 
defined by the following equations. 

X = x(2)2”i+”o -k A(i)2"o -k 'I 

y = y(i)2"i -py(o) I (2) 

2 = -k I 



where = ri 2 , = m, = no, = n — ni, = m, 

|Z«| = U 2 and = rii+ no . We require these parameters to satisfy certain 
conditions. These conditions are given below. 



1 . 

2 . 

3. 

4. 

5. 



6 . 



no -I- ni -I- n-2 = n 
no < n — m 
U2 < m 
Ui < n — m 

ni < U2 



U 2 + ni > m 



: This is required since x,y and z are n-bit integers. 

: This ensures that is a suffix of x^^\ 

: This ensures that is a prefix of x^^\ 

: This ensures that is a suffix of y^^\ 

: This ensures that the expected number of entries in 
each row of Tab[] (see later) is one. The case ni > U 2 
is also feasible but does not provide better results. 

: The case n 2 -I- ni < m is also feasible, but does not 
provide better results and hence we do not consider it. 



We now define binary strings and in the following manner. The 

strings and are such that x^^'^ = (U^^\ X^^'>) and = ({7*-^\ C/*^^^), 
where = n — m — no, |C/^^^| = m — n 2 - Then x^^^ = The 

string is such that y^^^ = (U^^\U^°^), where = n — m — ni- Then 

U^^^). Note that the portion of is provided as part of the 
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input whereas the part of has to be determined. Also the string 
is part of and has to be determined. These substrings are shown in Figure 1. 



L Ab J 


J 


■ r 




r ^(1) 


Z(o) ' 1 














: d: : 


yW y(0) 



, .rd) 


, ,r(0) 






. 1 . 


. A . 


r xd) 


f/(2) 


■ [/(l) 


X(0) 1 


r 









Fig. 1. Definitions of substrings 



Our algorithm is based on the following result. 



Proposition 1. 

y(o)^(i)2"o 
2n— ri2 

Proof: We write 



xy 

|_ ‘2n—n2 



J = r + d + c, where r = 
and c G {0, 1, 2}. 



2n— ri2 



, d = y(o)x(2) + 



xy 




2ra— ri2 





Note that r = 
Now 



2,y(i)2»i 
2n— ri2 

3,y(l)2"i 



, y(o) (2) 



y(o)j^(i)2"o y(o)jf(o) 



2n — 77-2 

X(Oy(i)2”i y(o)x(i)2”o 



2n— ii2 



2'n.o+ni 



2n— ri2 



2^1— ri2 



x(o)yP)2”i 


_1_ 


y(o)^(i)2"o 


_1_ 


y(o)x(o) 


2no+"l 




2n—n2 




2« — 112 



2n— ri2 

xO)y(i)2”i 

2no+ni 



+ C 



for some c G {0, 1, 2}. Further, since < 2"F < 2”°, we have < 

2 «o+"i = 2”“"2 hence |^y(o) = 0. Putting all these together 
gives us the required result. □ 
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Based on Proposition 1 we have the following algorithm to solve Mult. The 
algorithm uses a table Tab[] which is prepared in the first phase and is used to 
solve Mult in the second phase. 

Algorithm 1 
Input: and 

1. Write where = ri 2 and |[/(^)| = m — ri 2 ; 

2. set Z^^'> to the ri 2 most significant bits of 

3. for C/(l) G {0, Ijn-m-no 

4. set = (U(2), [/(!)); 

5. for y W G {0, l}"i 

6. compute = y(o)x(2) -p [(y(o)x(i)2”o)/2”-”2j mod 2 ”^; 

7. Tab[rf(i)] = Tab[d(i)] U 

8. end for; 

9. for G {0, l}"o X {0, 

10. set set a;= 

1 1 . compute r(i) = [(xF(i)2”i)/ 2"-”=^J mod 2 ”^; 

12. for cG {0,1,2} 

13. compute — c (mod 2"^); 

14. for each G Tab[d^^^] 

15. set i/= 

16. if ([(xy)/2”“’”J mod 2™ = then 

17. set a;(°) = and 

18. output 

19. end if; 

20. end for; 

21. end for; 

22. end for; 

23. end for; 

2.1 Complexity of Algorithm 1 

The space complexity of Algorithm 1 is the space required to store Tab[]. By 
construction Tab[] has 2^'^^ = 2"^ rows and a total of = 2”^ entries in 

all the rows. By Condition 5 after Equation (2) we have ni < U 2 and hence on 
an average the number of entries in each row of Tab[] is at most one. 

The time required by Algorithm 1 depends on the number of entries in a row 
of Tab[]. The expected number of such entries is one and this allows us to obtain 
the expected run-time R of Algorithm 1: 

= (2l^'“’l+3x2l^'“'l x2l^‘^’l) 

_ 2^— "1— ^2^1 + 3 X ) 



(3) 
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We now consider two cases and obtain the value of R in each case. 

Case 1: n 2 = m. Hence no + ni=n — m. In this case R = 2^”^ + 3 x 

Subcase la: n = 64 and m = 32. Then R = 2^"^ + 3 x This expression 

is minimized when rii = 22, whence R = 2'^'* + 3 x 2"^^ = 7 x 2'^^. 

Subcase lb: n=64 and to =16. Then i? = 2^"i +3x2®®“"b Since ni < ri 2 = 
TO= 16, the maximum value of ni is 16. Choosing ni = 16 gives R = 2^^ + 3x2®°. 

Case 2: ri 2 < to. This case is more complicated to analyse and we first perform 
a special case analysis by setting ri 2 = ni. Then no = n — 2m and R = 2®"i“’” + 
3 X 

Subcase 2a: n = 64 and to = 32. Choosing ni = 24 we have i?= 2'^°+3x2'^° = 2"*^ . 

In general n 2 yf ni. However, we have verified that for n = 64 and to = 32 
and for all possible distinct values of no, ni and n 2 , the value of R is minimized 
for n 2 = ni = 24 and no = 16. Thus the special case is also optimal for the 
general case. In fact, for n = 64 and to = 32, R = 2'^^ is the minimum possible 
expected run-time for Algorithm 1. 

2.2 Offline Table Preparation 

The expected run-time of Algorithm 1 can be made optimal by using a larger table 
which can be prepared offline. We describe this idea for n = 64 and m = 32. 
Write X = and y = We write [(a;j/)/2®^J = d + r, 

where d = [(a:y^°^)/2®^J and r = xy^^\ 

In the offline table preparation phase, for each {x^^\ x^^\ € {0,1}®^ x 

{0, 1}®^ X {0, 1}®^, we compute d = [(a;y^°^)/2®^J mod 2®^ and set 
lzh[x^^\x^^\d] = Tab[x(^\ d] U 

In the online phase, we are given and For each possible value 

of G {0, 1}®^, we compute r = xy^~^^ mod 2®^; d = r — mod 2®^ and for 
each G Tab[cc^^\ d] output {x^^\y'^^'>). 

The run-time for table preparation is 2°°; the space required to store Tab[] 
is also 2°° and the (expected) runtime of the online phase is 2®^. Since there are 
2®^ solutions, the online run-time is the minimum possible. This comes at an 
expense of huge offline processing time and space. 



3 Squaring 



In the case x = y, the problem Mult reduces to squaring which can be formally 
stated as follows. 

Problem: Sqr 

Input: Two integers and such that, 0 < z^®^ < 2™. 

Task: Find all integers such that, 0 < < 2”“™, x = +x*^°^ and 



x^ mod 2" 




x‘^ 


to 

s 

1 

3 




Q^n—m 



mod 2™ = z(i). 



(4) 
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Note that there are (n — m) unknown bits and m constraints. Hence the 
expected number of solutions is max(l, 2"“^’”). If n = 2m, then the expected 
number of solutions is one. Algorithm 1 is not very efficient for Sqr so that we 
have to deal with the problem separately. 

Let no,ni be such that no-l-ni = n — m and x = 
where = m, = ni and = no with no < m. 



Proposition 2. 

I ■ 







zW 


2rii+2nQ 




2"o 



= r 



2ni 



+ 2X^^^X^^\ d = 



2^(2) j^(0) 

2"o 



-I- d -I- c, where r = 2"^ 
and c G {0, 1, 2, 3}. 



Based on Proposition 2, we have the following algorithm to solve Sqr. 

Algorithm 2 
Input: 

1. set k = n — (ni -I- 2no) = m — no; 

2. for G {0, 1}”“ 

3. compute d = mod 2*; 

4. Tab[d] =Tab[d]U{Jf(o)}; 

5. end for; 

6. for G {0, l}”i 

7. compute r = 2”i (X(2))2 + [{X^^)f/2^^\ + 2X(2) mod 2^=; 

8. for each c G {0, . . . , 3} 

9. compute d = /2”“J — r — c mod 2^; 

10. for each G Tab[d] 

11. if ([x^/2"“'"J mod 2™ = then output 

12. end for; 

13. end for; 

14. end for; 

The space complexity of Algorithm 2 is 2’”“"° and the (expected) time com- 
plexity is i? = 2”o -I- 4 X 2”i . 



Case 1: n = 64, m = 32. In this case we choose no = ni = 16. Then the space 
complexity is 2^® and the time complexity is i? = 2^® -|- 4 x 2^® = 5 x 2^®. This 
particular choice of no and ni minimizes the value of R. 

Case 2: n = 64, m = 16. Choosing no = 8 and ni = 40 gives a run-time 
R=2^ + 4x 2^0. 



4 Attacks on T-Functions 

We consider two specific proposals of multiword T-functions from [3] and de- 
scribe attacks on them. These T-functions operate on an internal state vector 
which consists of four 64-bit words. Applying a T-function once to the state 
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vector changes the value of each of the four 64-bit words. As suggested in [3], 
the extracted output consists of the most significant 32 bits of each of the four 
64-bit words of the state vector. Thus applying the T-function repeatedly to the 
state vector produces a sequence of 128-bit (four 32-bit words) output blocks. 
These output blocks are treated as the generated pseudo-random sequence. The 
secret key consists of the initial 256-bit (four 64-bit words) value of the state 
vector. 

For the attack we will assume that several consecutive output blocks are 
known. We actually require only two consecutive output blocks to perform the 
attack and a few more to verify the correctness. The goal of our attack is to 
obtain the complete 256-bit (four 64-bit words) value of the internal state vector 
at some point of time. 

For a 64-bit word w, let msb(w) (resp. Isb('u;)) denote the 32 most (resp. least) 
significant bits of w. Let {xq,xi,X 2 ,X 3 ) be the internal state vector at some 
point of time. Let (yo> J/i; 2 / 2 , 2 / 3 ) be the state vector after application of T to 
(xo,a;i,X2,a;3), i.e., (2/0,2/1,222,2/3) = T{xo,xi,X 2 ,X 3 ). The outputs correspond- 
ing to (xo,a;i,a:2,a;3) and (2/0, 2 /i, 2/2, 2/3) are (msb(a:o), msb(a;i), msb(a;2), msb(a;3)) 
and (msb( 2 /o), msb(2/i), msb(2/2), msb(2/3)) respectively. We assume that these out- 
puts are known and our attack is to compute (lsb(a;o), lsb(a;i), lsb(a;2), Isb(x3)). 

There are a total of 128 unknown bits in (xq,xi,X 2 ,X 3 ) and a method to 
obtain them in time less than 2^^® constitutes an attack on the system. Our 
algorithms are much more efficient - the attacks in Section 4.1 and Section 4.2 
require time 2"^° and 2^^ respectively to compute the 128 unknown bits. 



4.1 Attack on Multiplication Based T Function 

Consider the following T-function: 



/ xo\ / xo ® s 0 ( 2 (a;i V C'i)x2) \ 

xi _ xi 0 (s A oo) 0 (2x2(a;3 V C3)) 

X2 X2 0 (s A Oi) 0 (2(2:3 V C'3)xo) 

\x3 J \a;3 0 (s A 02) 0 (2xo(xi V Cl))/ 




( 5 ) 



where Gq = Xq, Gi = A a:*, 1 < i < 4, s = 03 0 (03 + Cq). Also, Cq is odd and 
known, Ci = (12481248)i6 and C 3 = (48124812)ie (Equation (13) in Klimov 
and Shamir [3]). Each of Ci and C 3 are considered to be 64-bit words where the 
leading 32 bits are all zeros. 

During use of this T-function as pseudo-random generator, the quantities 
msb( 2 :i), msb( 2 /i) are known for i = 0, 1,2,3. Our attempt will be to obtain 
lsb(a;j) for f = 0, 1, 2, 3. This proceeds in several steps. 



Step 1: 

First note that msb('u;i 0 r(; 2 ) = msb(wi) 0 msb(w 2 ) and msb(t(;iAw2) = msb(wi)A 
msb(w2). Hence we have msb(ao) = msb(xo), msb(ai) = msb(xo) A msb(a;i), 
msb(a2) = msb(a;o) A msb(a;i) A msb(x2) and msb(a3) = msb(a;o) A msb(a;i) A 
msb(a;2) A msb(a3). The quantity s involves an addition mod 2®'^ and cannot be 
directly tackled in this manner. However, we can determine the upper part of 
s with only one bit of uncertainty in the following manner. First note that we 
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have, msb(a 3 -I- Co mod 2®"^) = msb(a 3 ) + msb(Co) -I- e mod 2®^ where e is the 
carry of lsb(o 3 ) + Isb(Co) and hence e = 0, 1. Thus 

msb(s) = msb(a 3 ) 0 (msb(a 3 ) 0 msb(Co) + e mod 2 ®^) 

and hence msb(s) can take only two values as determined by e. 

Thus, with respect to the known 32 most significant bits, equation 5 reduces 
to 



( msb(2(xi V Ci)a; 2 )\ 
msb ( 2 a; 2 (a ;3 V C 3 )) 
msb( 2 (a ;3 V C 3 )xo) 
y msb (2a;o(a:i V Ci)) j 



/ msb(i/o) 0 msb(xo) 0 msb(s) \ 

msb(i/i) 0 msb(a;i) 0 (msb(s) A msb(oo)) 
msb(j/ 2 ) 0 msb(x 2 ) 0 (msb(s) A msb(ai)) 
ymsb(i/ 3 ) 0 msb(x 3 ) 0 (msb(s) A msb(o 2 )) ) 



Equation (6) gives a relation between known quantities. Let Wo = 2xq, Wi = 
{xi V Cl), W 2 = 2x2 and W 3 = (X 3 V C3). Also let Kq = msb(j/o) 0 msb(xo) 0 
msb(s), Ki = msb(t/i)0msb(xi)0(msb(s) A msb(oo)), K 2 = msb(y2)0msb(x2)0 
(msb(s) A msb(ai)) and K 3 = msb(y 3 ) 0 msb(x 3 ) 0 (msb(s) A msb(a 2 )). Our next 
step is to solve for Wq , Wi , W 2 and W 3 such that 



msb(TTilT2) = Ao,msb(lT2W3) = Ai,msb(lT3Wo) = A2,msb(WolTi) = A3. (7) 

Since there are two choices of e, the rest of the steps have to be carried out 
for each value of e. 

Step 2: 

We use Algorithm 1 to solve (7). There are, however, a few adjustments, which 
improve the run-time of Algorithm 1. Note that due to masking with Ci and C3, 
eight bits of each of Isb(TTi) and lsb(lT 3 ) are fixed and known. Also Wo = 2xq. 
We know msb(xo) which means we do not know the last bit of msb(Wo) which 
is equal to the first bit of Isb(xo). To apply Algorithm 1 we have to know all the 
32 bits of msb(Wo). This means that we have to guess the last bit of msb(TTo). 
On the other hand, since Wo = 2xq, the last bit of Wo (and hence of Isb(lTo)) is 
zero. Similar considerations hold for TT2. 

Now suppose we are solving for Isb(TTo) and Isb(TTi) from the equation 
msb(TToVFi) = K 3 . While invoking Algorithm 1, we let Wi play the role of x 
and Wq play the role of y. Further, we choose U 2 = rii = 24 (Subcase 2a in 
Section 2.1). Then in Algorithm 1, = 16, = 24, = 16 and 

= 8. As mentioned before, due to the masking of with Ci, four bits 
of each of and are fixed to be one. Hence the number of choices of 
in Step 3 and in Step 9 of Algorithm 1 both reduces to 2^^ from 2^®. 
The last bit of is zero and hence the number of choices of in Step 5 
of Algorithm 1 reduces to 2^® from 2^®. The length of is eight. However, we 
also need to guess the last bit of msb(TTo), which is the next bit after Thus 
the number of possible choices of V^^'' in Step 9 of Algorithm 1 increases to 2® 
from 2®. 

In Step 18, Algorithm 1 produces (Isb(Wi), Isb(Wo)) as output. The modifica- 
tion described above also determines the last bit of msb(lTi). Suppose this bit 
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is b. By definition, the last bit of Isb(Wo) is zero. Then Isb(xo) is obtained by 
prefixing b to Isb(TTo) and dropping the last bit. We assume that the modified 
Algorithm 1 produces (Isb(Wi), lsb(a;o)) as output. Similar considerations hold 
for the other equations in (7). 

Recall from Equation (3) that the original expression for the expected run- 
time of Algorithm 1 is i? = -|- 3 x x 21'^^^*!^ Due to the 

changes in the number of possible choices of and as ex- 

plained above, this expression reduces to 

R = 216-4(224-1 3 X X 2®) 

= 2^® -h 3 X 2^3 = 7 X 2^3 < 2^®. 

The time for solving one equation in (7) is approximately 2^® and hence 
the total time to solve all four equations is 2®®. The solutions to (7) are stored 
in separate lists, as we explain below. Define Wi = Isb(fTj) for i = 1,3 and 
Wi = Isb(ccj) for t = 0,2. 

• LstlO stores (wi,wo), sorted on wi, such that msb(lToWi) = K 3 . 

• Lstl2 stores (wi,W 2 ), sorted on wi, such that msb(WilT 2 ) = Kq. 

• Lst30 stores {w 3 ,wo), sorted on W 3 , such that msb(lT 3 lTo) = K 2 - 

• Lst32 stores (w 3 ,W 2 ), sorted on W 3 , such that msb(lT 2 lT 3 ) = Ki. 

Step 3: 

The next task is to “merge” the four lists to obtain solutions (wq, ici, 1 C 2 , W 3 ) 
which are consistent with all four equations. This is done as follows. 

• Merge LstlO and Lstl2 on to obtain list Lstl02 
containing pairs of the form (wo,W 2 ,wi). 

• Merge Lst30 and Lst32 on to obtain list Lst302 
containing pairs of the form { wq , 102,103). 

• Sort each of Lstl02 and Lst302 on ( 100 , 102 ). 

• Merge Lstl02 and Lst302 on (100,102) to obtain a list Fin which contains 
tuples of the form (100,101,102,103) which are solutions to (7). 

The time for merging and sorting (ignoring logarithmic factors) is 2®^ and 
hence the above steps can be completed in approximately 2 ®'^ steps. 

We consider the expected number of solutions to (7). There are 24 unknown 
bits in each of Isb(Wi) and lsb(lT 3 ). On the other hand, there are 31 unknown 
bits in each of Isb(Wo) and lsb(W 2 ). In addition, we have to determine the 
last bits of both msb(TTo) and msb(lT 2 ). Thus there are a total of 112 unknown 
bits in (7). Each of the equations in (7) provide 32 restrictions on these unknown 
bits. Hence there are a total of 128 restrictions on these 112 unknown bits. Thus, 
on an average, we can expect the solution to (7) to be unique. See Section 5 for 
an emperical justification of this statement. 

Step 4: 

The list Fin contains the possible solutions (100,101,102,103) . Now Wi = Isb(lTj) 
for i = 1, 3 and we want lsb(a;i). As mentioned before, the masking of x\ and X 3 
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by Cl and C3 respectively fixes 8 bits each of Wi and W3. Thus from Isb(VFi) 
and lsb(TT3) we do not obtain the values of these 16 bits of Isb(xi) and lsb(a:3). 
Instead, for each possible solution (wq, Wi,vj2, 1V3) in Fin and each possible value 
of these 16 bits, we construct a possible solution (Isb(xo), lsb(a;i), lsb(a;2), Isb(cc3)) 
and verify it using the definition of the T~function given in (5) and a few more 
outputs of the pseudo-random generator. The expected number of solutions 
(lsb(a:o), lsb(a;i), Isb(x2), lsb(a;3)) is also one and the complexity of this step is 2^®. 

This completes the description of the attack. By combining all the complex- 
ities, we see that the complexity of the attack is less than 2"*° in determining 
the 128 unknown bits of (lsb(a;o), Isb(xi), Isb(x2), lsb(a;3)). This makes the at- 
tack quite practical and suggests that this T-function should not be used as a 
stand-alone pseudo-random generator. 



4.2 Attack on Squaring Based T Function 

Consider the following T-function: 

^xo\ / xo (B s (BxIaM\ 
y xi _ 0 s A oo © A M , , 

X 2 X 2 (B s A ai (B xl A M 

yxs J \x 3 ® s A a 2 ® xl A M J 

where, ao = xq, ai = at-i Accj, 1 < t < 4 , s = 03 © (03 + 1 ), and M = 1 . . . IIIO2. 
This is Equation ( 10 ) in [ 3 ]. Since, msb(ao) = msb(xo) and msb(ai) = msb(ai_i)A 
msb(a;i), 1 < i < 4 , we know msb(ai) for 0 < i < 4 . Now, 

s = (msb(a3) x 2^^ + lsb(o3)) © (msb(a3) x 2^^ + Isb(a3) + l) 

= 2^^ {msb(a3) © (msb(a3) + e)} + {lsb(a3) © (156(03) + 1 mod 2^^)} 

where e is the carry of Isb(a3) + 1 . If e = 1 , then lsb(o3) equals 1 . . . III2 = 2 ^^ — 1 . 
But, 156(03) = l 5 b(a;o) A l5b(a;i) A 156(2:2) A 156(2:3) and hence 156(2:^) = 1 . . . III2 
for 0 < i < 4 . In other words, e = 1 = 4 > Isb(xi) = 1 . . . III2 for 0 < t < 4 and we 
can verify if this is indeed the case. 

If this is not the case, then e = 0 and so, msb(s) = msb(o3) © msb(o3) = 
0 . . . OOO2. But then, msb(s A Oi) = msb(s) A msb(oi) = 0 . . . OOO2. Also, the 32 
most significant bits of M are all ones and hence, msb(2: A M) = 0156(2:) for all 
X. Hence, with respect to the 32 most significant bits. Equation (8) reduces to 



/ 2:0 \ /xo® xj\ f yo\ 

xi _ xi ® xl _ yi 
X2 X2 © xl y2 

\X3 J \X3®xlJ \y3 J 



(9) 



with 0156(2:^) and msb(?/i) known for 0 < i < 4 . Let Zi = msb(2:j_i) © msb(?/i_i), 
where the computation on the subscripts is done modulo 4 . Then Zj, 0 < i < 3 are 
known and we need to solve for (2:0, 2:1, X2, 2:3) such that the following equation 
holds for t = 0, 1, 2, 3. 



msb (2:^ mod 2®^) = Zi 



( 10 ) 
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We use Algorithm 2 to solve these four equations. Solving each equation takes 
time 5 x 2^® < 2^® (see Case 1 of Section 3) and hence the time to solve all 
four equations is less than 2^^. The possible solutions for Isb(xo), lsb(a;i), lsb(a;2) 
and lsb(a;3) are kept in four lists Lq, Li, L 2 and L3 respectively. Since n = 64 = 
2 X 32 = 2m, the expected number of entries in each list is one. We then form a 
list Fin which contains tuples (Isb(xo), Isb(xi), lsb(a;2), lsb(a:3)) such that Isb(xi) 
is in Li. Then for each entry in Fin, we verify the solution by evolving the T- 
function in the forward direction a few times and comparing the output with 
the already available pseudo-random bits. 

Thus, we get an algorithm to determine the 128 unknown bits in the input of 
Equation (8). It is easy to verify that the entire attack takes 2^^ time. This shows 
that the T-function based on squaring is completely insecure as a stand-alone 
pseudo-random generator. 

4.3 Extracting Lesser Bits 

In this subsection, we use the notation msbfc(a:) (resp. Isbfc(x)) to denote the k 
most (resp. least) significant bits of x. The state vector for the T-function in (5) 
is {xq,xi,X 2 ,x^). Suppose that instead of producing 128-bit output only the 64 
bits (msbi6(xo), msbi6(a;i), msbi6(a:2), msbi6(a;3)) are produced as output. Thus 
there are 192 unknown bits in (xq,Xi,X 2 ,X 3 ) which have to be determined. We 
consider the effectiveness of our attack for this situation. The attack described 
in Section 4.1 goes through for this case. 

The complexity of the total attack depends on the complexity of solving 
Equation 7. We use Subcase lb of Section 2.1 along with the modification de- 
scribed in Step 2 of Section 4.1. Then the run-time of the modified Algorithm 1 
becomes -I- 3 x 2^^“'^ x 2^^) = 2^"^ -|- 3 x 2^^. The number of unknown 

bits in (7) is 2 x (48 — 8) -F 2 x 48 = 176. The number of constraints in (7) is 
4 X 16 = 64. Hence the expected number of solutions in Fin is 2^^^. The correct 
solution can be determined by iterating the T-function and comparing the out- 
put with the available pseudo-random string. Thus the time taken to determine 
the 192 unknown bits will be 2^^^. Though this is infeasible in practice, it still 
constitutes a theoretical attack on the system. 



5 Implementation 

We have performed some experiments to verify some of the assumptions about 
the average case behaviour. In this section, we briefly describe these results. 

The first thing to consider is the expected number of solutions to Mult. As 
mentioned in Section 2, the expected number of solutions is We de- 

scribe some experimental results for n = 16 and m = 8. The expected number 
of solutions is 2® = 256. The total number of possible instances (D) 

is 2^^. The number of instances such that the number of solutions is at most 
256 is around 55% of the total number of instances while the number of in- 
stances such that the number of solutions is at most 512 is more than 99%. The 
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maximum number of solutions occurs for the case = (0, 0, 0) and 

such pathological situations are extremely rare. 

We have implemented the attack on a reduced version of the multiplication 
based T-function described in Section 4.1. We have chosen the state vector to 
be four 32-bit words instead of four 64-bit words. Correspondingly, we have 
extracted the top 16 bits of each word. Also the constants Ci and C3 have been 
suitably scaled down. The attack has been implemented on randomly chosen 
instances and in each case the size of Fin was found to be one. This provided 2® 
choices for the state vector and the unique one could be found using only one 
more block of the available pseudo-random bit string. Thus the attack worked 
extremely well with only three consecutive blocks of output. We expect the 
attack to scale up quite well when applied to the T~function having state vector 
consisting of four 64-bit words. 

For the problem on squaring, we have implemented Algorithm 2. In the case 
n = 64 and m = 32, the complexity of Algorithm 2 is 5 x 2^®. Our experiments 
confirm this theoretical result and hence the attack on the squaring based T- 
function in Section 4.2 works as expected. 



6 Possible Countermeasure 

Our attacks show that T-functions are probably not secure enough for stand- 
alone use especially when half of the bits of the state vector are produced as 
output. As suggested by Klimov and Shamir, T-functions can be used in con- 
junction with S-boxes for design of stream ciphers. We provide one suggestion 
for possibly improving the security of T-functions while retaining some of the 
nice theoretical properties. 

There is a large and easily identifiable subclass C of T-functions such that 
any function in C defines a single cycle permutation on the state space. This is 
an attractive theoretical property. In our suggestion, we would like to preserve 
this property. To do this we apply the notion of conjugate permutations. (A 
similar idea has been used in the context of one-way permutations [5].) If tt and 
T are any two permutations of a set S, then a = o tt o t has the same cycle 
structure as tt; further, cr and tt are called conjugate permutations. 

We apply it to the context of T-functions in the following manner. Suppose 
7T is the permutation on the set of all state vectors induced by a T-function from 
C. Then tt has a single cycle and any conjugate of tt also has a single cycle. Note 
that this property does not depend on the choice of the permutation t. Hence 
we can choose r so as to improve the security of the overall mapping. 

In our attack, the basic weakness that we exploit is that there is insufficient 
intermixing of higher and lower bits. One simple operation which can help in 
improving such intermixing is the circular shift (which is not a T-function) . Thus 
we can construct a permutation r on the state space by using circular shifts 
and other nonlinear operations. These operations can be arbitrarily chosen (in 
particular they need not be T-functions) to ensure higher security as long as r 
is a permutation and that they are efficient to apply. 




482 



J. Mitra and P. Sarkar 



One penalty for introducing this countermeasure will be reduction in speed. 
The exact amount of speed reduction will depend on the concrete proposal. 
Developing such a concrete proposal based on our guideline is a future research 
problem. 



7 Conclusion 

In this paper, we studied multiplication, squaring and T-functions. In the first 
part of the paper, we presented a time-memory trade-off algorithm to solve the 
problems of multiplication and squaring. These algorithms are used in the second 
part of the paper to analyse two concrete proposal of multi-word T-functions 
from [3]. For the proposal based on multiplication, the 128 unknown bits of 
the state vector can be determined in 2'^° time while for the proposal based on 
squaring, these bits can be determined in 2^^ time. Experimental results from 
our implementation suggests that our attack works well in practice. Hence one 
can conclude that these two (and other similar) constructions of T-functions are 
not secure enough for stand-alone use. We also suggest the use of conjugate per- 
mutations for possibly improving the security of T-functions while maintaining 
some nice theoretical properties. 

Notes: An anonymous reviewer of the paper has suggested that the problems 
Mult and Sqr can be formulated as closest vector problems in a two-dimensional 
lattice. Using this approach, the time complexity of Algorithm 1 will be 2^^ with 
minimal storage space. At the time of preparing this final version, we have not 
been able to obtain the details of such an algorithm. We hope to present such 
details in a later communication. 
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Abstract. In this paper, we carefully study both distinguishing and 
key-recovery attacks against Bluetooth two-level EO given many short 
frames. Based on a flaw in the resynchronization of Bluetooth EO, we are 
able to fully exploit the largest bias of the hnite state machine inside EO 
for our attacks. Our key-recovery attack works with 2"^° simple operations 
given the first 24 bits of 2®® frames. Compared with all existing attacks 
against two-level EO, this is the best one so far. 



1 Background 

The short-range wireless technology Bluetooth uses the keystream generator EO 
to produce the keystream for encryption. After the earlier results [10, 9, 6] of 
correlation (also called bias) properties inside the Finite State Machine (FSM) 
towards the one-level EO, most recently, [12] systematically studied the biases 
and proved two previously known large biases to be the only largest up to 26 
consecutive bits of the FSM output sequences. Attacks against EO mostly focus 
on one-level EO only and the best attacks [12, 1, 5] work on one impractically long 
frame of keystream without exception. Nevertheless, a few attacks [15,11,7-9] 
apply to two-level EO; compared with feasible attack complexities on one-level 
EO, attack complexities on two-level EO are extremely high and make the prac- 
tical Bluetooth EO unbroken. 

The main contribution of this paper is that first based on one of the two 
largest biases inside the FSM within one-level EO, we identify the bias at two- 
level EO due to a resynchronization flaw in Bluetooth EO. Unlike the traditional 
approach to find the bias, the characterized bias does not involve the precompu- 
tation of the multiple polynomial with low weight. Second, to utilize the iden- 
tified bias, we develop a novel attack to directly recover the original encryption 
key for two-level EO without reconstructing the initial state of EO at the second 
level. Our key-recovery attack works with 2^^ simple operations given the first 
24 bits of 2^® frames. Compared with all existing attacks [15,11,7-9] against 
two-level EO, this is the best so far. 
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the first level the second level 




Fig. 1. Diagram of two-level EO keystream generation 

The rest of the paper is structured as follows. In Section 2 we review de- 
scription of two-level EO. In Section 3 we study the attack against one-level EO. 
Then, we investigate the EO resynchronization flaw, which allows to develop the 
basic attack of previous section into the distinguishing and key-recovery attacks 
against two-level EO in Section 4; we further extend our key-recovery attack in 
Section 5. Finally, we conclude in Section 6. 

2 Preliminaries 

2.1 The Core of Bluetooth EO 

To briefly outline, the core of EO (both dashed boxes in Fig. 1) can be viewed as a 
nonlinear Altering generator. The Altering generator consists of four 
LFSRs (i?i, . . . , R 4 ) which are equivalent to a single L-bit LFSR with connection 
polynomial p{x) and a 4-bit FSM, where L = 128. The keystream bit of the 
generator is obtained by xoring the output bit of the regularly-clocked LFSR 
with that of the FSM, which takes the current state of the LFSR as input and 
emits one bit (denoted by c® in Bluetooth specification) out of its 4-bit memory. 

2.2 Review on Two-Level Bluetooth EO 

Let Kc be the L-bit secret key computed by the key generation algorithm E3 [3, 
p783]. According to [3], the effective key /C of length 8£ (1 < f < 16) is computed 
by 

JC{x) = Kc(x) mod 

where the polynomial g^i\x) is specified in [3, p770] and has degree 8f. Bluetooth 
two-level EO (depicted in Fig. 1) uses two L-bit inputs: one is the known nonce^ 



^ Note that the connection polynomial of the equivalent single LFSR equals the 
product of those of the four LFSRs. 

^ By convention, hereafter we always use the superscript i to indicate the context of 
the i-th frame. 
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P*, the other is the linearly expanded L-bit key from /C by K^(x) = 32 ^^ (x) • 
K,{x), where the polynomial 92^^) is also specified in [3, p770] and has degree 
no larger than L — St, or equivalently, we can rewrite it as 

K; = E{K.), (1) 

where if is a linear mapping. After initialization of the equivalent LFSR for the 
first level EO, we can express its initial state^ L- 200 ] “ (7?!_igg, ■ • ■ , 

-^L- 200 ) 

^{-igg...., L- 200 ] = Gi(K'J © G 2 (P*), ( 2 ) 

for i = 1, . . . , m, where Gi and Gg are affine transformations over GF{2)^. Next 
comes the so-called two-level EO: 

— During the first level, with the FSM initial state preset to zero, EO runs L 

clocks producing 200-bit output SI = Rl® a\ and updating t-i-L-i] 
R\t+i t+L] ~ t+L-ij) ^ = —199, . . . , 0, where M is the linear 

mapping over GF{2)^ that corresponds to the companion matrix associ- 
ated with p{x). Note that first, a\ is the output bit of the FSM fed with 

R[t t+L-i]’ second, the last L-bit output at the first level EO is gp 

last, ° Gi)(K^) © (M ^2 o G 2 )(P*)- 

— At the beginning of the second level, the equivalent single LFSR is initialized 

by 0 ]), where G 3 : GP( 2 )i 28 ^ GF( 2 )i 2 S ig another 

affine transformation (see [3, p772]); the FSM initial state at the second 
level remains the same as the one in the end of the first level. Note that the 
present time is t = 1 . 

— During the second level, for t = 1,...,2745, EO produces the keystream 
z\ = VI © (31 for encryption of the Ath frame and updates Vj* t+L-i] by 

[t-t-l,... ,i-t-L] ■ 

2.3 An Important Note on G 3 

We observe that G 3 is implemented in such a simple way^ that the last L-bit 
output sequence of the first level EO is byte-wise reloaded into the four component 
LFSRs in parallel at the second level EO with only a few exceptions, which turns 
out to be a flaw as introduced later in Section 4. For completeness. Table 1 lists 
in time order the first 24 output bits of Pi , . . . , P 4 individually at the beginning 
of EO level two, in terms of the L-bit input vq, . . . , vl-i- 

2.4 The Bias Inside the FSM 

Our starting point would be the bias inside the FSM, which was discovered 
by [9, 6 ] and further proved in [12] to be the the largest bias up to 26-bit output 



® Throughout the rest of the paper, we use the unified notation 12*^^ with the 
formatted subscript to denote the vector (D* , . . . , J7j). 

^ It is believed to help increase the rate of keystream generation. 
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Table 1. The first 24 output bits of LFSRs at EO level two 



LFSR 


1 output bits II 


Ri 


V71 ■ ■ 


• r> 64 , U39 • • 


• V32, V 7 ■ ■ 


• Vo 


R2 


V79 ■ ■ 


• U72, U47 • • 


■ V40, V15 ■ ■ 


• V 8 


Ri 


fill • • 


• Ul 04 , V 87 ■ ■ 


■ V 80 , U55 • • 


■ V 48 


R4 


U119 • • 


■ V112, U95 • • 


• U 88 , U 63 • • 


■ VS 6 



sequence of the FSM involving the smallest number of consecutive bits. Let 
A = we have 

Pr(c° © C°+1 © C°+2 © c°+3 © C°+4 = 1) = ^ + ^, 

for any integer t, assuming that the L + 4 = 132-bit initial state of EO is ran- 
dom and uniformly distributed. Hereafter, we analyze as exactly described in 
Bluetooth specification [3]. For convenience, we denote used for the first and 
second level keystream generation by al,Pl respectively. Therefore {aJ},{/3j} 
being separated sequences of {c°} both satisfy the same statistical property: 

Pr{al © © al_^_2 © 0^+3 © at+4 ^ ^ 2 2 ’ 

FriPl © AVi © Pl +2 © Pl +3 ®PUa = ^) = \ + ^, ( 4 ) 

for any t and any i. 



3 Security Analysis on EO Level One 

The goal of the attacker in this section is to recover the effective 8£-bit encryption 
key /C with knowledge of m L-bit output sequences pj of the first level 

EO for i = 1, ... ,m and the corresponding m nonces , ... , P™. 

3.1 Finding the Closest Sequences with Fixed Differences 

We begin with a very simple problem: given 2m L-hit sequences s^, . . . , s™ and 
6^,. . . ,6'^, where = 0 and 6'^ ^ 6^ for all i yf j, find the P-bit sequence 
that maximizes N{r^) = X)t=i('®t © ’’t) where rl = rj (B SI for i = 1, . . . , m 

and t = 1, . . . ,L. 

Similar to the well-known approach (see [9, p251]), the solution based on the 
idea of minority vote goes fairly easy. We have 

L m 
i=l i=l 

Thus, in order to maximize iV(r^), we must have 



r} = minorityjsj © : i = 1, . . . , to} 
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for all t = 1, . . . ,L. Note that in case of a tie for r\, we have two answers for 
this t-th bit regardless of all the other bits. We finally obtain all the answers 
that achieve the same maximal N{r^). The time and memory complexities of 
the above algorithm both equal the data complexity 0{mL). 



3.2 Attack Against EO Level One 

Let Pj = ^\i-L 0 ] ® ^\i-L 0 ] for z = 1, . . . ,m. By Eq.(2) we have 

^[i-L 0 ] “ o G 2 ){P^ © P'')- We further set 

i=o 

4 = ©^:+,. 

i=o 

4 = ©SU,. 

i=o 

for z = 1, . . . , TO and t = 1 — L, . . . , —4. Note that sj © rj = 0^=0 ^t+j follows the 
biased distribution by Eq.(3). As long as ® ^t) is the maximal 

and A\,Sl are known, we can apply the preceding algorithm to recover {L — 
4) bits of followed by an exhaustive search on the remaining 4 bits, next 
solve then by Eq.(2), and finally deduce JC from by Eq.(l). The 
time/memory/data complexities all equal 0{mL + 2‘^L), i.e. 0 ((to + 16)L). No 
precomputation is needed. 

About the minimal to to guarantee the valid precondition X)t=i-L(st® 
r\) is the maximal, we use the result in [12, Eq.(lO)] based on [2] that says 
regardless of the value of L and we need the minimum 



TO 



4 log 2 



(frames). 



( 5 ) 



Consequently, we require to = 512 to recover /C from S'* and P* for i = 
1,...,TO. This results in the time/data/memory complexities all the same as 
0(2^®). To verify this, we ran experiments on 512 frames of the randomly-chosen 
132-bit EO initial state 2^® times. It turned out that we had 1.5 errors and 0.4 
tie in average, which means we can easily correct all errors by an extra checking 
step in the end in negligible time. Finally, Table 2 compares our result with 
the only known® four attacks [7, 8, 11, 15] working on frames of L-bit consecutive 
keystreams. Note that existing attacks [7, 8, 11, 15] directly apply to two-level EO 



® In the similar approached paper [9], m is chosen as 45 for EO level one without the 
complexity estimate, because the authors focused on the two-level EO and traded m 
with the time complexity of EO level one, whose time complexity is negligible with 
that of the EO level two. 
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as well with the level-by-level key-recovery scheme®; in contrast, our attack is 
completely disabled against two-level EO with this scheme as the attack is based 
on a naive assumption that we directly observe the output of EO level one^. In 
the next section, we introduce a resynchronization flaw in Bluetooth EO that 
leads to a shortcut extended attack against the two-level EO. 

Table 2. Comparison of our attack with existing attacks against EO level one given 
frames of L bits 



Attack Type 


Precomputation 


Time 


Frames 


Data 


Memory 


Divide & Conquer 


[15] 


- 


293 


1 


2 '' 


- 


BDD 


[11] 


- 


2 '''' 


1 


2' 


- 


Algebraic Attack 


[7] 


- 




2 


2 « 




Algebraic Attack 


[8] 


- 




3 






Our Correlation Attack 


- 


2 ^'’ 


2^ 


~2W- 





4 Security Analysis on Two-Level EO 

4.1 The Resynchronization Flaw in Bluetooth Two-Level EO 

Define 

[/* = ([/^,...,C/l) = G3(i?fi_i„..,o])- ( 6 ) 

Following the description of G 3 in Subsection 2.3, we can easily verify that 

V; = Ui 0 a!_56_t 0 ai-48-t ® for t = 1 , . . . , 8 , 

V; = Ul 0 o!_ 8 o-t ® a-72-t ® a-32-t ® ct- 2 A-t, for t = 9, . . . , 16, 

VI = Ul 0 Q!!_ 4 g 4 _j 0 o;!_ 9 g_t 0 a!_ 5 g_i 0 a!_48_t, for t = 17, . . . , 24. 

From the above equations, we summarize the characteristics of VI by 

E/ = Ul 0 0 Oat-l -8 ® '^bt ® (V 

for t = 1, . . . , 24, where at = —t + const, , and bt = —t + const, t-i , • Note 

L 8 J 

that Eq.(7) is our crucial observation about Bluetooth EO resynchronization flaw 
which enables a shortcut attack throughout the two levels of EO. Now, we express 
the output bit of the second level EO keystream by 

4 = ® ® Oiat+8 ® “L ® “bt-l -8 ® ( 8 ) 



° namely, the initial state at the first level is reconstructed after the initial state at 
the second level is recovered. 

As a matter of fact, according to [3, p763], Bluetooth takes the correlation properties 
into account and adopts the two-level scheme of keystream generation in practice on 
purpose. 
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for t = Let u\ = 0^=0^^*+^ = ®]=oZt+j- From Eq.(8), we 

have that 

4 4 4 4 4 

= ^ Oat-i ® ® °‘at-j+8 ® ^ ® ^ °‘bt~j+8 ® ^ Pt+j (9) 

j=0 j=0 j=0 j=0 j=0 

for t = 8/c -I- 1, . . . , 8fc -I- 4, A: = 0, 1, 2. Therefore, we deduce an important corre- 
lation concerning the practical implementation of EO from Eq.(3,4,9): 

Theorem 1. Assuming independence of a\’s and Pi’s, we have 

Pr(4©u* = l)= ^ + y 
for t = 8k + 1, . . . ,8k + 4:, k = 0,1,2. 

4.2 A Near- Practical Distinguishing Attack Against Two-Level EO 

Using the standard technique of linear cryptanalysis, we expect that sj © ttj 
equals one most of the time for t = 8/c + 1, . . . , 8fc + 4, fc = 0, 1, 2 with a total of 
« 2^^ samples. Since the difference 

W © W = G3(i?fi_i,„„0]) © = (G3 o o G 2)(P* © P^), 

is known for all i and j by Eq.(2,6), we apply the algorithm in Subsection 3.2 to 
recover the bit u\ separately with two sets of 2^^ frames sharing only one common 
frame denoted as the first frame for both sets. If we get a unique solution, we 
conclude the keystreams are generated by EO; otherwise, we accept them as truly 
random sources. The time/data complexities are 0(2 x 2^^ x 5), i.e. 0(2^^). In 
contrast to the conventional treatment based on finding a multiple polynomial 
with low weight, no precomputation is needed in our scenario. So far, this is the 
only known near-practical attack against the full two-level EO. We can further 
improve the distinguisher by recovering ul for t = 1, . . . , 4 with two different sets 
of frames of the first 8 bits. Comparing two sets of solutions for the four bits, if we 
get a majority of identical bits, then we conclude the keystreams are generated 
by EO, otherwise we accept them as truly random sources. The number of frames 
we need is 2 x 2?'^ /4 = 2^^. This results in time/data complexities 0(2^^ x 8), 
i.e. 0(236). 

4.3 The Key-Recovery Attack Against Two-Level EO 

From last subsection and Theorem 1, we know that with 23"* frames of keystreams, 
we can recover twelve bits, i.e. ul for t = 8 /c+l, . . . , 8fc+4, A: = 0, 1, 2. After that, 
we try exhaustively for the remaining |/C| — 12 bits assuming linear independency 
of the twelve bits®. Note that we have 

w = (G3 O o Gi)(K(,) © (G 3 O o G 2 ){pp, (10) 



We tested and found that the twelve bits are linearly independent for all choices of 
effective key length |AC| = 8i except for |AC| = 8 in which case our attack is worse 
than the brute force attack and becomes meaningless anyway. 
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by Eq.(6,2). So, we deduce from Eq.(10,l) that 

[/* = (G3 O o o ^ ((-g o ^72 g G 2 ){P"), 

which means W is an affine transformation of K, given _P* and so is u*. Thus, we 
can ultimately solve the effective key K, from rt*. The total time complexity of 
our attack is computed as 



234 _|_ 2|/C|-13 



2^4, \JC\ < 48 
2l'C|-i3^ j/cj > 48 



The data complexity of our attack is (2^^ — 1) • 24 + 128, i.e. 0(23®-®), as 
we need 23^ — 1 frames of the first 24 bits plus one frame of 128 bits. Table 3 
compares our attack with existing attacks [15,11,7,8,9] against the two-level 
Bluetooth EO. Note that the number of required frames completely depends on 
the frame size in [7] to meet the requirement of data amount. This is, to our 
best knowledge, the first non-trivial® attack against practical EO with various key 
length. Notice that when 40 < \JC\ < 80, our attack offers the best performance 
over the others. 



Table 3. Comparison of our attack with existing attacks against two-level Bluetooth EO 



Attack 


Precomputation 


Time 


Frames 


Data 


Memory 


exhaustive search 


- 


2 IKI -1 


1 


|A| 


- 


[15] 


- 


2^J3 


1 


2' 


- 


[11] 


- 


2™ 


1 


2 '^ 


- 


[7] 


- 




- 


2"‘® 




[8] 






2 


21X4- 


2®® 


[9] 




2™ 


45 




2®® 


Our Attack 


- 


2 IKI-I 3 _|_ 234 


234 


238.6 


234 



Remark 2. Note that our attack is based on one of the largest two (linearly 
dependent) biases which is introduced in Eq.(3). As time/data tradeoff, we 
might also expect to have some other linearly independent biases to be large 
enough so that the time is decreased at somewhat reasonably increasing cost of 
data/memory complexities. Nonetheless, using the computation formula of [12], 
we find none such bias that leads to the data complexity of less than 2®°. 

Remark 3. As the nonces P”s are affine transformation of a 26-bit clock and 
a master device address, our attack requiring much more than 2^® frames of 
keystreams still remains impractical unfortunately. 



9 



in contrast to the brute force attack. 
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5 Extended Key-Recovery Attack Against Two-Level EO 

5.1 A Partial Key-Recovery Attack 

Notice that on one hand, each of the four leftmost biased bits on the right-hand 
side of Eq.(9) is computed only with a certain subset of fixed key bits, the known 
nonce and the unknown variable FSM initial state; on the other hand, the value of 
Eq.(9) can be easily predetermined from the left-hand side, after we recover u\'s 
with 2^^ frames by the distinguisher in Subsection 4.2. Consequently, the well- 
known technique of statistical cryptanalysis leads us to the following approach 
to advance our key-recovery attack: supposing we manage to guess one of those 
four biased bits for all frames by guessing only the related key bits, then, for 
each frame, we XOR the guess on the biased bit with the predetermined value 
of Eq.(9) to obtain one bit. Thanks to Eq.(9), this bit shows bias for the right 
guess and almost balancedness for the wrong guess (which is also called statistical 
distinguishable); we’re able to spot out the right guess of all guesses finally. 




Fig. 2. Computation diagram of Sat- 2 , Sat-i, Sat 



More specifically, we observe two important points about EO FSM state: first, 
the FSM state at time t always contains the two bits c° , c^_i, second, the 4-bit 
FSM state is updated by its current state together with four current output bits 
of LFSRs. Therefore, for fixed t G {8fc -I- 1, . . . , 8fc -I- 4} and k G {0, 1, 2}, the 
bit^° 0j=o“ot-j computed from 5 consecutive bits is derived 

from the same subset of 4 x 3 = 12 bits of the shared key 1C in all frames given 
P* together with the unknown frame-dependent FSM state at time at — 3 (see 



For our couvenience, we discuss the first biased bit on the right-hand side of Eq.(9) 
from now on; however, due to symmetry of the subscripts on the right-hand side of 
Eq.(9), our discussion also applies to the other three biased bits but the last. 
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Fig. 2). We can compute all the possible sequences , 0 ^ 4-2 according 
to every possible FSM state for each frame i with t S {8fc + 1, . . . , 8fc + 4} and 
k G {0, 1, 2}. Within one frame, of all the choices of 12-bit K' of K, and the FSM 
state, the sequence computed with the right shared 12-bit K and the right FSM 
state yields 0 ^^^ which equals ® 0l+j) 

with bias when xoring with the computable bit s\ ®u\ by Eq.(9); meanwhile, 
the sequence obtained with the wrong FSM state and/or the wrong shared 12-bit 
K' is expected to produce a new biased bit 0j^o (with bias A) which when 
xoring with s\ 0 u\ finally generates a bit with much smaller bias A® that could 
be approximated by a randomly and uniformly distributed bit. Therefore, we 
estimate that for every frame, the 12-bit guess K' would yield 2"^ randomly and 
uniformly distributed bits, except for the correct guess that produces 2"^ — 1 = 15 
randomly and uniformly distributed bits as well as one biased bit (with bias A^) . 

Alternatively, for every frame i, we can guess 4(2 0 t) bits K' of JC to- 
gether with the FSM state at time a* — r — 2 to compute consecutively r 
bits 0j=o “at-i’ • • •> 0j=o “ot-i-T-i-i with r < 5 - (t mod 8) for fixed t G 
{8k 0 1, . . . , 8/c 0 4} and k G {0, 1, 2}. Denote the parameter m as the required 
number of frames to be discussed later. For the same reason as before, when we 
xor the r bits with sj 0 uj, . . . , 0 we expect the 16m sequences 

to comply with a truly random distribution T>o of T-bit vectors for all wrong 
guesses K' , and the 16m sequences for the right guess K to comply with the 
biased distribution T>i of r-bit vectors approximated by 



Vi 



V 0 15X>0 
16 



( 11 ) 



where V with 0 representing the regular convolutional product (see [12]), 

and V is the distribution of 0^=o • ■ ■ > Note that Eq.(ll) 

means all the biases in T>' dwindles 16 times in T>i, i.e. we have the following 
relation between the two Walsh coefficients 'Di{x),T>'{x) of any nonzero r-bit 
vector x: 

A{x) = (12) 

Let / : GF{2y ^ R be a weighted grade for those resultant sequences 
X/c', ■ • • j Xic™ from the guess K' . We accordingly grade each guess K' by 



Gk’ 



16 m 



Y^HXk')- 

i=i 



(13) 



Using analysis of [16] and [2] (see Appendix for complete treatment), we show 
that with minimal 



m 



t02 
2t- 1 



. 234 ®, 



4^ We omit the superscript i and use a't to denote the candidate for a\- 
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the score Gk of the right guess tops the chart by choosing f{x) = T>i{x) — for 
all X € GF{2y. Note that with f{x) = T>'{x) we obtain equivalently the same 
resultant score Gk' for all K' . Also, recall that to predetermine u\,. . . 
we need 2^"^ frames for the distinguisher. Thus we must have 

m « max (^2^4 , . 234-5^ . (14) 

Algorithm 1 details the above partial key-recovery attack for 4(2 -|- t) bits. 



Algorithm 1 The extended attack against two-level EO to recover 4(2 -|- r) bits 
Parameters: 

1: Di by Eq.(ll) 

2: re [1,4] 

3: m by Eq.(14) 

Input: 

4: keystreams zj • • • 224 generated by the same K. together with P* under two-level EO 
for i = 1 , . . . ,m 

Processing: 

5: choose k e {0, 1, 2} and t e { 8 fc -I- 1, • • • , 8 fc -I- 4} with r < 5 — (t mod 8 ) 

6: for 4(2 -|- r) bits K' of tC that are used to compute a'a^-T-i, ■ ■ ■ ,ciat are 

consistent with previously recovered bits do 
7: initialize Gk' to zero 

8 : for i = 1 , . . . , m do 

9: initialize counters ^lo, • • • , to zero 

10: for all 4-bit FSM state at time a* — r — 2 do 

11 : compute ... 

12 : compute b^bo,..., br-i with © 04^o 

13: increment ^ 1 , 

14: end for 

15: increment Gk' by J2b b^>>(T>i{b) - A) 

16: end for 

17: add the pair (Gk' , K') into the list 

18: end for 

19: find the largest Gk in the list and output K 



5.2 Complexities and Optimization Issues 

About the performance of the partial key-recovery attack, it is seen from Algo- 
rithm 1 that to recover 4(2+t) bits, it runs ■m-2^(2+T) = TO(2+T)-2^^+4r 

times to compute each a(. for grading 24(^+'^l candidates. In total, we have to 
perform T = m(2 + r) • 24^+4"^ operations, where m is set by Eq.(14). 

Additionally, the loop from Line 9 to Line 15 can be done by one oper- 
ation after precomputation as detailed below, which makes T = m ■ 24(2+^)^ 
During preprocessing, we run through every 7/at-i, • ■ • , 2 /at-T -2 (where yt de- 
notes the Hamming weight of the original four component LFSRs’ output bits 
at time t) to compute the 24 possible sequences a^, . . . which yield 
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2'^ sequences b' = ©, to to a'a^-j-r+i accordingly; and then for 

each T-bit b” , we increment the counter last, we build up a table to 

store h{yat-i,. ■ .,yat-r- 2 ] b”) = J2b' “ t)- precompu- 

tation needs memory 2'^ ■ 5^+"^ « 23-32i-+4.6 time 2^ • 5^+"^ • (2 -|- r) • 2"^ « 
(t -h 2)23-32^+8-6^ After that, in real-time processing, for each frame i, we just 
compute 5* = &q , . . . , with 0 Sj_|_„ for n = 0, . . . , r — 1, deduce 

2/at-i) • ■ • ,l/at-r -2 &om AT',P* and increment G/c/ by h{yi^_^, . . . ,y^^_^_ 2 , &*")• 
Thus, we get T = m ■ 

Moreover, when •2'^ < m, i.e. 2®+3 t < can further reduce T 

down to m 0 2^®+®"^. Notice that it is the same subset of 4(2 + r)-bit 17® of P® 
that is used to compute y® = (l/at-i! • ■ • ^yat-T- 2 ) ■ F®'' convenience, let 

g : GF(2)^ GP(2)‘*1^+®'1 map P® to 17®. We precompute a table h'{fi,q) for 

every 4(2 0 r)-bit 17 and r-bit q defined by: 

m 

h'{f2,q) = ~^a=(i(pi).g=ui(s,si 

i=l 

with u® = (ul, . . . , and s® = (sj, . . . , This takes time 0{m) with 

memory 0(2®+®®'). Recall that w® is determined independent of K' by the distin- 
guisher in Subsection 4.2, and u^,s^,y'^ completely determine how to increment 
Gk> for frame i, i.e. by h{y'", u®0s®) from last paragraph. So, in real-time process- 
ing, for every K' , instead of processing frame by frame to update Gk', we simply 
go through every (8 0 5r)-bit pair (17, g), deduce y = (yot-i, • ■ • , yat-T- 2 ) from 
17 and K' , then increment Gk' h' {fi , q)h{y, q) . We reach the time complexity 

T = TO 0 2‘‘(2+^) . 2®+®^ = TO 0 21®+®^ for 2®+®"" < to. 

To summarize, we have T = to 02^1^+®’1 •min(TO, 2®+®®"). Table 4 lists the best 
complexities of our partial key-recovery attack corresponding to r = 1,...,4. 
Note that the success probability of the attack in the table is estimated according 
to the hypothesis test result of Eq.(ll), i.e. the percentage of the 4(2 0 T)-bit 
keys to generate a non-uniformly distributed sequence . . . , with all 

the possible FSM state. 

5.3 The Overall Key-Recovery Attack 

Now we discuss how we proceed with the optimized Algorithm 1 to recover the 
full /C. With T = 2 and fixed k, we independently run Algorithm 1 three times 
with t = 8fc 0 1, . . . , 8A: 0 3. And we expect at least two successes out of three 



Table 4. Performance of our partial key-recovery attack against two-level EO 



r 


Frames 

m 


Time 

T 


Prob. of 
Success 


recovered key bits 
4(2 0r) 


TT 


2 ®® 


2®b 


50.8% 


12 


T 


2®® 


2®® 


87.0% 


16 


T 




2®‘® 


99.0% 


20 


■4 




2®® 


99.9% 


24 
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runs. After checking consistency of all the overlapping bits for every possible 
pair of the algorithm outputs, we identify all the successful runs and obtain the 
minimum 16 -|- 4 = 20 key bits. 

We can easily adjust Algorithm 1 to target at any of the middle three biased 
bits on the right-hand side of Eq.(9) to recover 16 bits. With each modified partial 
key-recovery algorithm, we repeat previous procedure to recover minimum 20 
bits. In total, we are sure to gather 4x 20 = 80 bits. Since we already have 12 bits 
by the distinguisher, we finally exhaustively search the remaining L— 80— 12 = 36 
bits within one frame. Algorithm 2 gives the abstract strategy of our complete 
attack. Therefore, to recover L-bit /C, our key-recovery attack works on m = 2^^ 
frames, in time 24m-|-4 x 3 x 2^® « 2'^°. The comparison of our attack with the best 
known attacks [7, 8, 9] against two-level EO for \JC\ = L is available in Table 5. 

Table 5. Comparison of our attack with the best attacks [7-9] against two-level EO 
for \JC\ = L 



Attack 


Precomputation 


Time 


Frames 


Data 


Memory 


[7] 


- 


2'/3 


- 


243 


251 


[8] 




-2^5- 


2 


2TXT 




[9] 




2™ 


45 


2^' 




Our Attack 


- 




—235— 







Algorithm 2 The abstract of the complete attack against two-level EO for 

\IC\ = L 

Parameters: 

1: m by Eq.(14) 

Input: 

2: m frames of 24-bit keystreams generated by the same K. together with known nonces 
under two-level EO 

Processing: 

3: for each of the leftmost four biased bits on right-hand side of Eq.(9) do 
4: choose k € {0, 1, 2} and set r — 2 

5: for t = 8A: -I- 1, 8fc -I- 2, 8fc -I- 3 do 

6: use the optimized partial key-recovery attack to obtain 16 bits 

7: end for 

8: checking consistency among pairs of those 16 bits to obtain minimum 20-bit K. 

9: end for 

10: exhaustively search the remaining 36 key bits within one frame 
11: output the L-bit fC 



6 Conclusion 

In this paper, based on one of the two largest biases inside the FSM within 
one-level EO, for the first time, we identify the bias at two- level EO due to a 
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resynchronization flaw in Bluetooth EO. Unlike the traditional approach to And 
the bias, the characterized bias does not involve the precomputation of the mul- 
tiple polynomial with low weight. Second, to utilize the identified bias, we de- 
velop a novel attack to directly recover the original encryption key for two-level 
EO without reconstructing the initial state of EO at the second level. Our key- 
recovery attack works with 2'^° simple operations given the first 24 bits of 2^^ 
frames. Compared with all existing attacks [15, 11, 7, 8, 9] against two-level Blue- 
tooth EO, this is the best one so far, although the impossibly high amount of 
frames thwarts our attack to be practical. It remains an open challenge to de- 
crease the data complexity with practical time and memory complexities. Finally, 
our attack illustrates the theory of statistical attacks in [2, 16] with an example 
which is not based on linear cryptanalysis. 
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Appendix 



All our analysis here is similar with [16] and inspired by [2]. First, by Eq.(13), 
we have 

Exp(G„.) = 



for a random wrong guess K', and by Eq.(ll) we have 

Exp(Gx) = ^^/(6) +m^X>'(&)/(&), 

b b 

for the right K. Hence, 

AEMGk') = (v\b) - f{b). 

Meanwhile, we compute the variance of Gk' as 

Var(Gr) = ^1/ E (/Wf - (E/w)" 

We can estimate the rank of Gk over all possible Gk> by 



(15) 



(16) 



( 17 ) 



In order to achieve the top rank for Gk, we see that the fraction 
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(18) 

x/Var(G;^0 

must be large enough. This can be satisfied as long as the number m of avail- 
able frames is sufficiently large. However, aiming at a practical attack, we are 
concerned with the question of how to choose / in order to minimize m under 
the constraint of the top rank Gk- In order to maximize the fraction (18), we 
first maximize the numerator with the constraint that the denominator is a con- 
stant and then try to maximize the fraction over all the solutions. Define the 
multivariate polynomial 



= iv'{b) - 



S (/((>))"- 






Using Lagrange’s multiplier, we have 

vm - 1) + ^ S m) - 0, (19) 



for all b e GF{2y . From Eq.(19) we infer that 



f{b) - f{b') 
V'{b) -V'{b'] 



= const. 



for all b y b' . Therefore we have a universal expression of / as 

f(b) — const. , 

W) 

for all b G GF{2Y , which yields the same quantity of (18) regardless of the 
constants in /. So the easiest way to define / could be f{b) = V{b) — ^ for all 
b G GF{2y . Then Eq.(15) reduces to 

Z\Exp(Ga:0 = 






P(2r-1)A«. 



On the other hand Eq.(16) reduces to 



^(2x-l)V. 



Var(G/y/) 
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So we deduce from Eq.(17) that 






24{2+t) 



This means Rankc^ is expected to top the chart with 

_ 256(2 -hr) log 2 _ t + 2 34 5 

^ A8(2r - 1) ^ 2r - 1 ■ 
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Abstract. It is almost a folklore-knowledge that hash-based time-stam- 
ping schemes are secure if the underlying hash function is collision- 
resistant but still no rigorous proofs have been pnblished. We try to 
establish such proof and conclude that the existing security conditions 
are improper becanse they ignore precomputations by adversaries. After 
analyzing a simplistic patent filing scenario, we suggest a new security 
condition for time-stamping schemes that leads to a new security prop- 
erty of hash functions - chain-resistance. We observe that if the variety 
of possible shapes of hash-chains is polynomial (and the verification pro- 
cedure is suitably improved), then the time-stamping scheme becomes 
provably secure, assuming that the underlying hash function is collision- 
resistant. Finally, we show that in some sense, the restrictions in the 
security definition are necessary - conventional black-box techniques are 
unable to prove that chain-resistance follows from collision-resistance. 



1 Introduction 

The main goal of digital time-stamping is to prove that electronic data-items 
were created or registered at a certain time. A simple method is to use a trusted 
service (with a precise clock) that provides data items with current time value 
and digitally signs them. The assumption of unconditionally trusted service hides 
a risk of possible collusions that may not be acceptable in applications. The risks 
are especially high in centralized applications like electronic patent- or tax filing 
as well as in electronic voting, where the possible collusions are related to direct 
monetary (or even political) interests. 

First attempts to eliminate trusted services from time-stamping schemes were 
made in [4], where cryptographic hash functions and publishing were used to 
replace electronic signatures. To date, several improvements of hash-based time- 
stamping schemes have been presented [1-3]. Such schemes have been used in 
business applications and are even included in international standards [9] . 

The combined monetary value of electronic content (insured, in particular, 
with time stamps) increases over time and so does the risk associated with it. A 
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decision of a content manager to start using a certain time-stamping service for 
protecting electronic records must involve the assessment of long-term security 
risks. Desirably, such assessments should be based on analytical arguments. As 
an example of such argument, modern cryptography can prove that there are 
no structural flaws (or principal design errors) in security solutions, assuming 
that their basic building blocks (such as hash functions) are secure. The use of 
provably secure time-stamping schemes can avoid many practical risks. 

Regardless of the growing importance of hash-based time-stamping schemes, 
their security is only superficially studied in scientific literature. In [5], a formal 
security condition for hash-based time-stamping schemes was presented and an 
informal sketch of a security proof was outlined. Though no rigorous proofs were 
presented it has become almost a public myth that the security of hash-based 
time-stamping schemes can be reduced to the collision-resistance of underlying 
hash functions. Thus far, no more related studies have been published. 

In this paper, we revisit the security analysis of hash-based time-stamping 
schemes [5]. We observe that the formal security condition stated in [5] is un- 
reachably strong because it overlooks pre-computations of the adversary. 

Inspired by a simplistic patent filing scenario, we present a new security 
condition for time-stamping schemes that leads to a new security condition for 
hash functions - chain-resistance - necessary for the scheme [5] to be secure. We 
show that additional checks in the verifying procedure render the conventional 
time-stamping schemes provably secure in the new sense, based on collision- 
resistance of the hash function. The additions concern an examination of whether 
the shape of the hash-chain included into a time stamp belongs to a certain 
(polynomial) set of templates. This may seem a minor detail but as no currently 
used time-stamping schemes implement it, none of them are provably secure. 

We further examine the necessity of said additional checks in the verification 
procedure and prove that without these checks it is probably very hard (if not 
impossible) to prove the security of the schemes of type [5] based on collision- 
resistance alone. We present an oracle relative to which there exist collision- 
resistant hash functions which are not chain-resistant. Almost all security proofs 
relativize - are valid relative to any oracle. Therefore, any security proof of the 
unmodified schemes should use either non-standard (non-relativizing) proof tech- 
niques or stronger/incomparable security assumptions on the underlying hash 
function. For example, it is easy to prove that entirely random hash functions 
{random oracles) are chain-resistant. In practice, it is often assumed that SHA-I 
and other hash functions behave like random oracles which means that in such 
setting, their use in practical time-stamping schemes is justified. At the same 
time, it is still possible that a time-stamping scheme that uses SHA-1 is totally 
insecure while no collisions are found for SHA-1. 



2 Notation and Definitions 

By X *— T> 'we mean that x is chosen randomly according to a distribution T>. 
If A is a probabilistic function or a Turing machine, then x <— A(t/) means that 
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X is chosen according to the output distribution of A on an input y. By Un we 
denote the uniform distribution on {0, 1}". If I?i, . . . are distributions and 
F{xi , . . . , Xra) is a predicate, then Pr[xi ^ T>i, . . . , Xm ^ F>m'- F(xi, . . . , Xm)] 
denotes the probability that F{xi, . . . , Xm) is true after the ordered assignment of 
xi,..., Xm- We write f{k) = 0{g{k)) if there are c, fco G R, so that f{k) < cg{k) 
(Vfc > ko). We write f{k) = uj{g{k)) if g{k) = 0{f{k)) but f{k) ^ 0{g{k)). 
A function /: N ^ K is negligible if f{k) = A Turing machine M is 

polynomial-time (poly-time) if it runs in time , where k denotes the input 
size. Let F* be the class of all functions /: {0, 1}* ^ {0, 1}*. Let FP be the class of 
all functions / G F* computable by poly-time Turing machines M . A distribution 
V on {0, 1}* is polynomially sampleable if it is an output distribution of a poly- 
time Turing machine. 

By an oracle Turing machine we mean an incompletely specified Turing ma- 
chine S that comprises calls to oracles. The description can be completed by 
defining the oracle as a function O G F*. In this case, the machine is denoted 
by S'®. An oracle O is not necessarily computable but may still have assigned 
a conditional (worst-case) running time t(k), which may or may not reflect the 
actual amount of computations performed by O internally. Running time of S® 
comprises the conditional worst-case running time t(k) of oracle calls - each call 
takes t(k) steps. An oracle O is poly-time if t(k) = We say that S is a 

poly-time oracle machine, if the running time of S® is polynomial, whenever O 
is poly-time. Let FP* denote the class of all poly-time oracle machines. Let FP® 
be the class of all functions computable by poly-time oracle machines S'® . 

A primitive ip is a class of (not necessarily computable by ordinary Turing 
machines) functions intended to perform a security related task (e.g. data confi- 
dentiality, integrity etc.). Each primitive *P is characterized by the success b(k) 
of an adversary A. For example, a collision-resistant hash function is a function 
family {hk}ken, where hk- {0, 1}^* ^ {0, 1}^ and 

S(k) = Pr[(a;, x') ^ A(l'^): x yf x' , hk(x) = hk(x')] . 

In more rigorous definitions [12], h^ is randomly chosen from a set ^ C 
F*. Otherwise A may output a fixed collision. We write h(x) instead of hk(x). 
Sometimes, we need hash functions TL = {Hk}kGN of type ’Hk'- {0, 1}* ^ {0, 1}*^. 
An adversary A G F* breaks / G fp (and write A breaks /) if A has non-negligible 

success. An instance / G fp is secure if no A G FP breaks /. An instance / G fp 

o 

is secure relative to an oracle O if no A G FP breaks /. 



3 Time-Stamping Schemes and Their Security 

3.1 The Scheme of Haber and Stornetta 

A time-stamping scheme [5] involves three parties: a Client C, a Server S, and 
a Repository 91; and two procedures for time-stamping a data item and for 
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verifying a time stamp (Fig. 1). It is assumed that 91 is write-only and receives 
items from S in an authenticated manner. 

Time- stamping procedure is divided into rounds of equal duration. During each 
round, S receives requests from Clients. For simplicity, all requests x\,. . . ,Xm 
are assumed to be bit-strings Xi G {0, 1}^. If the t-th round is over, S computes a 
compound hash rt € {0, 1}^ by using a function h: {0, 1}^*^ ^ {0, 1}^ and a tree- 
shaped hashing scheme r* = Gh{xi , . . . , Xm)- For example, if the requests of the 
t-th. round are Xi, X2, X3, X4, then S may compute rt = h(xi, h(h(x2,X3),X4)). 
Next, S sends rt to 91 (in a secure way), where it is stored as a pair {t,rt). 




(Repository) 




Fig. 1. The scheme of Haber and Stornetta (a simplihed model) 



After that, S issues for each request x a time-certificate c = (x, t, n, z), where 
t is current time value, n is an identifier n = niU 2 ■ ■ .ni G {0, 1}^, and z is a 
sequence z = (zi, Z2, • ■ • , 2;^) G ({0,1}^) . In the scheme of Fig. 1, the time- 
certificate for x\ is (xi, t, 0000, (zi, Z2, Z3, Z4)), where Zi = X 2 , Z 2 = h{x 3 ,X 4 ), 
Z3 = h{h{x 5 ,XQ),X 7 ), and Z4 = h{x 3 ,xfij. 



Verification procedure is performed by C as follows. To verify (a;, t, n,z), C com- 
putes a hash value by using h and a Fh{x', n; z), which computes a sequence 
y = (2/0, yu---,yi) & ({o, l}'") inductively, so that t/o := x, and 



/ h{zi,y^_i) if rii = 1 , . 

■ \/i(j/i_i,Zi) if rii = 0 

for i > 0, and outputs = Fh{x; n; z) := yi. Second, C sends a query t to 91 
and obtains rt as a reply. Finally, C checks whether = rt- Note that n and z 
can be equal to empty string |J , in which case Fh{x] n; z) = x. 

Security condition [5] states that the time-stamping scheme above is secure 
against Ahs G FP that sends requests Xi,...,Xq to S and queries to 91. As a 
result, Ahs outputs a time-certificate (x,t,n,z), where x G {0,1}^, n G {0,1}^, 
and z G ({0, 1}*)^. The attack is considered successful, if a; ^ {x\, . . . ,Xq} and 
Fh{x; n; z) = rt, where r* is assumed to be the correct response of 91 to query t. 
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3.2 Analysis of the Security Condition 

The scheme described above is insecure against the following behavior of Ahs^ 
^ Ahs chooses x and zq uniformly at random. 

— Ahs sends xq = h(x,zo) to S and obtains a time-certificate {xo,t,n, z). 

^ Ahs computes a faked time-certificate {x,t,0\\n, zo\\z), 

where || denotes concatenation. By definition, Fh{x;0\\n; zq\\z) = Fh{xo;n; z) = 
rt- Hence, the attack is successful whenever x ^ xq because xq was the only 
request made by Ahs- If A has reasonable security properties then Pr[x yf xq\ is 
non-negligible^. This “attack” shows that the formal security definition does not 
follow the intuition behind time-stamping, because it overlooks the possibility 
of precomputations. As a success criterion, the condition x ^ {x\, . . . ,Xq\ is 
improper because the notion of already time- stamped items is not sufficiently 
precise. 



4 New Security Condition and Improved Schemes 

4.1 New Security Condition 

The new security condition is inspired by the following simplistic attack-scenario, 
where Bob, a criminal who steals inventions, co-operates with a server S\ 

— Bob precomputes (not necessarily with Gh) some hash values ri, . . . , that 

may help him to back-date documents in the future. His collaborator S sends 
the hash values to 91, where they are stored as pairs (ti, ri ),..., r^). 

— Alice, an inventor, creates a description Xa G {0, 1}* of her invention and 
requests a time certificate for xa = 'H{Xa), where {0, 1}* ^ {0, 1}^ is a 
(collision-resistant) hash function. 

— Some time later, the invention is disclosed to the public and Bob tries to 
steal the rights to Alice’s invention. He creates a slightly modified version 
Xb of Xa (at least the author’s name should be replaced), and tries to 
back-date it relative to Xa- Bob is successful, if he finds n and z, so that 
Fh{xB',n; z) G {ri,...,rs}. Bob can use (xBjt,n, z) to claim his rights to 
the invention. 

In order to formalize such attack scenario, a two-staged adversary A = 
(Ai, A 2 ) is needed. The first stage Ai precomputes a set 91 = {ri, . . . ,rs} after 
which the second stage A 2 obtains a new document X G {0, 1}* (“a document, 
unknown to mankind before”) and tries to back-date it by finding n and z, so 



^ If fe is collision-resistant, Pr[a; = xo] = Pr[x, zo <— Uk- h{x, zo) = z\ = 6, and p^ ~ 
Pr[x' ^ Uk-h{x,x') = x], then the collision-finding adversary {xx',xx'') ^ A(l^) 
(where x,x',x” ^ Uk are independent random bit-strings) has non-negligible suc- 
cess. Indeed, the probability S' that A outputs a collision for h (possibly, with x' = 
x") is S' > Pr[x]-pl > Pi")®] -Pa:)^ = s'^, where Pr[x] = Pr[A <—Uk--X = x\. 

Hence, the overall success of A is at least S^ — 2“*’. 
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that Fh{'H{X)-, n; z) € EH. The term new document is hard to define formally. As 
we saw, the condition H{X) ^ {xi, . . . ,Xq} does not guarantee that X is really 
new. We assume that X is chosen according to a distribution T> on {0, 1}* that 
is somewhat unpredictable to A. The success of A is defined as follows: 

6{k) = Pr[{m,a)^Ai{l^),X^V,{n,z)^A2{X,a):Fh{n{Xy,n;z)Gm] , (2) 

where a denotes a state information sent from Ai to A 2 . Note that (2) can be 
simplified by assuming | EH |= 1, because this reduces 6{k) only polynomially. 

Necessary Conditions for V. Intuitively, the prediction of V must require super- 
polynomial time-success ratio, i.e. every A with running time T(k) and success 
6{k) = Pr[EH ^ A(l''),x ^ V-.x G EH] has time-success ratio In 

case V is polynomially sampleable, an equivalent assumption is that 

Pc(T>) = Pr[y ^V,x ^V:x = y] = (3) 

where Pc(T’) is the collision probability of V. Indeed, if for a poly-time A we 
have Pr[EH«^A(l'^),x^I?:xGEH] = T{k) ■ then there is EHoC{0, 1}^, so 

that |EHo|= k'^^d) and Pr[x^I?: xGEHo] = Thus, 

3r eEHo:p = Pr[x^I?: x = r] = | EHo 

and hence Pc{F>) >p^ = If, in turn, Pc(T’) = then every A with 

output distribution T> has success 6{k) = k~^'^^\ 

The condition (3) is equivalent to the requirement that T> has Renyi entropy 
H 2 (T’) = — log 2 Pc(T’) = a>(logA:), and is in fact necessary for a time-stamping 
scheme to be secure relative to V. Indeed, if Ai is defined to output y ^ T> and 
(U, U) ^ A2(x,o) (for any x and a), then (Ai, A 2 ) has success Pc (2?). 

Chain- Resistant Hash Functions. The security definition (2) implies that h must 
satisfy the following new security condition for hash functions: 

Definition 1. A hash function h is chain resistant (relative to a distribution 
T>k on {0, 1}^), if for every adversary A = (Ai, A 2 ) G FP.- 

Pr[(EH,a)^Ai(l'=),x^I?fe,(n,z)^A 2 (x,a):F,,(x;n; 2 )GEH] = . (4) 

It is easy to show that if a time-stamping scheme is secure relative to T>, then 
the hash function h is chain-resistant relative to Ti{'D). 

4.2 Improved Verification Procedure 

We will prove later that the conventional black-box techniques are insufficient to 
imply chain-resistance from collision-resistance, and hence, also the security of 
time-stamping schemes in the sense of (2) cannot be proved under the collision- 
resistance condition alone. We modify the verification procedure in a way that 
prevents the adversary from finding chains for h without finding collisions as by- 
products. We restrict the set EH C {0, 1}* of identifiers (possible shapes of hash 
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chains) that are considered valid by the verification procedure and show that if 
|9T|= then the collision-resistance of h is sufficient for a time-stamping 

scheme to be secure. The modified verification procedure is defined as follows: 

New Verification Procedure. To verify a time-certificate (x, t, n, z) for X G {0, 1}*, 
C checks if x = Ti.{X), computes a hash value r[ using Fh{x] n; z) defined by (1), 
sends a query < to to obtain and checks if = r* and n G ffl. 

To be usable in practical time-stamping, the condition n G Of must be ef- 
ficiently verifiable. One way to achieve this is to set Of = {0, 1}^“, where is 
constant, which means that n G Of is equivalent to ||n|| = fcp and is naturally 
efficiently computable. The set Of can be viewed as a template of a hashing 
scheme that is published by the service provider before the service starts. As we 
consider service providers as possible adversaries. Of is created by an adversary. 
The restrictions above lead us to a weaker condition with the following notion 
of success: 

Pr[fiK,%a)^ki{l^),X^V,{n,z)^k2{X,ayFh{n{X);w,z)G%nG% . (5) 



4.3 Proof of Security 

We prove that the security of the modified hash-based time-stamping schemes 
follows from the collision-resistance of h and Ti. 



Definition 2. Let y = (j/qj Vi, ■ ■ ■ ,Vi) and y' = (?/g, y[, . . . , y[,) he two sequen- 
ces produced by Fh{x;n;z) and Fh{x';n'; z') respectively, by using (1). Let z = 
(zi, . . . , Z(), z' = (z'l, . . . , z\,'), n = n\ . . . ni, and n' = n'l . . . n'^, . We say that 
sequences y and y' comprise a collision, if for some indices i G {1, ■■■,£} and 
j G {1, . . . , h{a, b) = yi = yl = h{a' , b'), but (a, b) yf (o', b'), where 



(a,b) 



{zi,yi-i) ifn^ = ^ 
(y^-i,Zi) ifm = 0 



and {a',b') 



{z'j,y'j_i) ifn'j = 1 
(y'_i,z') z/n' = 0 . 



Lemma 1. If x x' and Fh{x;n;z) = Fh{x';n; z'), then the sequences y and 
y' computed internally by Fh{x;n;z) and Fh{x';n;z') comprise a collision. 

Proof. Let i be the bit-length of n. As x = yo y'^ = x' and yi = T)i(x; n; z) = 
Fh{x'-, n; z') = y'g, there exists z G such that yi = y[ and yi-x yf 

Hence, either h{zi,yi-i) = h{z[,y[_fi) or h{yi-i,Zi) = z'). In both cases, 

we have a collision. □ 



Theorem 1. If h and H are collision-resistant, then the time-stamping scheme 
is secure in the sense of (5) relative to every polynomially sampleable V with 
Renyi entropy \^ 2 {F) = w(logfc). 

Proof. Let A = (Ai,A 2 ) be an adversary with running time T{k) that breaks 
the time-stamping scheme in the sense of (5) with success 6{k). Assuming the 
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collision-resistance of 7i, we construct a collision- finding adversary A' for h with 
running time T' {k) = and with success 8'{k) > and 

hence, - 57 ^ = (t^) ' adversary A': 

— calls Ai and obtains IH = {ri, . . . ,rm}, 01 C {0, 1}*, and a G {0, 1}*; 

~ generates two independent random strings X,X' ^ T> and calls A 2 twice to 
obtain (n, z) <— f\ 2 {X,a) and {n',z') ^ A 2 {X',a); 

— simulates Fh{H{X)-,n-, z) and Fh{H{X')-,n' ] z'). 

If Fh{H{X);n; z) = Ffi{H{X');n'; z'), 'H(X) ^ 'H{X'), and n = n' , then by 
Lemma 1 above, A' is able to find a collision for h. By Lemma 2 below, the 
probability that all these conditions hold is at least ~ 2 ”^ 2 CHCd))^ 

It remains to show that = Pc{'H{'D)) = Let C be a 

collision-finding adversary that on input 1^ generates X ^ T> and X' ^ T> inde- 
pendently at random and outputs (X, X'). Let Ei denote the event that X = X' . 
Hence, Pr[Ei] = Pc(^^) = . Let E 2 be the event that 'H(X) = H{X'). As H 

is collision-resistant, the success of C is Pr[E 2 \Ei] = and due to Ei C E 2 , 

we have Pc{n(V)) = Pr[E2] = Pr[Ei] -h Pr[E2\Ei] = □ 

Lemma 2. The success of A' is at least — 2 ”^ 2 CH(x>)) ^ Appendix) 

Remark. Using the improved verification procedure, it is possible to achieve the 
original security condition of Haber and Stornetta, assuming that the server S 
is honest and the set 91 is a prefix- free code with a polynomial number of words. 



5 Necessity of the Improved Verification 

In this section, we prove that the conventional proof techniques used in theo- 
retical cryptography - black-box reductions and semi black-box reductions - are 
unable to prove that collision-resistance implies chain-resistance. Hence, in some 
sense the modifications in time-stamping schemes are necessary for establishing 
their provable security. For the self-containedness of this paper, we introduce 
some basic results about oracle separation, which have been used to prove sev- 
eral ’’impossibilities” in theoretical cryptography [6-8, 13]. 

5.1 Cryptographic Reductions and Oracle Separation 

Almost all known constructions of a new primitive '^2 from another belong 
to one of the following two types: 

Definition 3. A semi black-box reduction from fPi to ^2 is a machine P G 

FP*, so that (1) Pf G ^2 (yf G and (2) for any A 2 G FP* there exists 

Ai G FP*, so that A2 breaks pf implies A{ breaks / fV/ G ‘^i). 

^2 




508 A. Buldas and M. Saarepera 



Definition 4. A (fully) black-box reduction from fPi to ‘^2 is a pair of ma- 
chines P,Sg FP*, so that (1) G IP2 fV/ G ‘^ 1 ); and (2) A breaks P^ 

^2 

implies breaks / (\/f G fPi,VA G F*J. 

Vi 

Note that the universal quantifiers apply over F* instead of FP. The reason is 
that uniform reductions stay valid if the quantifiers’ range is extended from FP 
to F* and this is exactly what expresses the black-box nature of / and A in these 
reductions. We will use the following folklore lemmas about oracle separation. 

Lemma 3. (A) If there is f G fPiflFP® secure relative to O but no g G iP 2 nFP® 
is secure relative to O, then there exist no (fully) black-box reductions from 
to *^2- (B) If in addition, O = (equality of functions) for a tt G FP*, then 
there exist no semi black-box reductions from fPi to *^2- 

Proof. (A) Suppose (S', P) is a black-box reduction from iPi to ^ 2 - According 
to the assumptions, g = P^ G ^ 2 !^ FP® and g is insecure relative to O. Hence, 
A breaks g = P^ for some A G FP® C F*. It follows that breaks /, 

contradicting S-f’'^ G FP®. (B) Suppose P is a semi black-box reduction from 
to fP 2 - Let / G CPi n FP® be a secure (relative to O) instance of fPi. Let O = tt^ 
for some tt G FP*. According to the assumptions, g = P^ G ^^2 H FP® and g is 
insecure relative to O. Hence, A breaks g = P^ for some A G FP®. Therefore, 

taking A2 = A'"’ G FP* we have that A = A® = A'"’^ = A2 breaks P-f. Hence, 

V2 

there exists Ai G FP*, so that A{ breaks /, which contradicts A{ G FP®. □ 



Definition 5. A (semi/fully) black-box reduction is said to be a self reduction 
if P is a trivial machine, i.e. P-f = / (for every f). 

Lemma 4. (A) If relative to O there is a secure instance of f G CPi, which is 
also an insecure instance of ^ 2 , then there exist no (fully) black-box self reduc- 
tions from fPi to ^ 2 - (B) If in addition, O = (equality of functions) for a 
TT G FP*, then there exist no semi black-box self reductions from fPi to CP 2 - 

The proof of Lemma 4 is completely analogous to the proof of Lemma 3. 

5.2 Non-existence of Fully Black-Box Self Reductions 

We define an oracle O, relative to which there exist a collision-resistant hash 
function H: {0, 1}^^ ^ {0, 1}* (chosen randomly from a set ^ of functions) that 
is not chain-resistant. The oracle O responds to the following queries: 

— P-queries that given as input (xi,a; 2 ) G {0, 1}^^ return H{xi,X 2 ) G {0, 1}*’. 

— Ai-queries that given as input return the root rj, of a Merkle tree [11] 
Mk, the leaves of which are all fc-bit strings in lexicographic order (Fig. 2). 

— A 2 -queries that given as input a bit string x G {0, 1}^ find z G ({0,1}^)*’, 
based on Mj,, so that Fh{x; x; z) = r^. and output a pair (x, z). 
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We assume that O-queries are of unitary cost and hence H is not chain- 
resistant relative to O. We define U so that O is insufficient for finding collisions 
for H. 

Let 1? be the set of all functions H, such that for all k: (1) all non-leaf vertices 
in Mk contain different elements of {0, 1}^ and (2) all sibling-pairs (including 
the leaves) are different. Hence, the argument-value pairs in Mk do not comprise 
collisions and Ai- and A 2 -queries do not help in finding collisions for H . 

Lemma 5. Every collision finding adversary A® for H that makes p{k) = 
oracle calls, has success probability . 

Proof. Let S C {0, 1}^^ denote the set of all pairs in the tree Mk- There are 
exactly 2*^ — 1 of such pairs. Hence, there are 2^^ — 2^ -I- 1 pairs in the complement 
S = {0, The restriction of iL to S' behaves like a uniformly random 
function while the restriction of iL to S is injective. Hence, if A® finds a collision 
(PI 7 T 2 ) for H, then one or both of the pairs pi,P 2 belong to S. 

Let K C {0, 1}^^ be the set of all pairs for which the value of H is released. 
If PiiP 2 G S, then the probability of finding collisions does not exceed < 

because the values of H\s can only be obtained via iL-queries. 

If Pi G S and p 2 G S, then the probability of finding a collision does not 
exceed where m is the number of A 2 -queries, each of 

which releases no more than k values of H . The maximum of the last function 
is achieved if m « and hence the success is □ 

Corollary 1. Fully black-box self reductions cannot prove that collision-resis- 
tance of h implies chain-resistance of h. 

5.3 Non-existence of Semi Black-Box Self Reductions 

The oracle O defined above does not yet prove the non-existence of semi-black 
box self reductions because H does not provide full access to O, i.e. O yf tt^. 
Hence, we have to ’’embed” O into H. We define a new hash function (oracle) 
O'. {0, 1}^" ^ {0, 1}" recursively for all n > 0, assuming that the values of it are 
already defined for smaller indices. 
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Let M„ be a complete Merkle tree, the leaves of which are all n-bit strings 
in the lexicographic order. Each internal vertex v in is computed as a hash 
On{vL,vpi) of the child vertices vl^vroIv. Note that as we have not yet defined 
^ {0,1}”, the tree Mn is not yet defined either. We divide the 
domain {0, 1}^" = {(yi, 2 / 2 ): 2/2 G (0, 1}"}) into two non-intersecting parts: 

— The set S of all sibling pairs in M„ that occur as inputs to O during the 

computation of M„. It contains leaf-sibling pairs of the form (yO^yl), where 
y G {0, 1}”“^, second-layer pairs of the form (O(t00, til)), where 

t G {0,l}”-2 etc. (Fig. 2) 

— The set P of all other pairs. 

Hence, to define On, we have to define two functions: 0^' S (0, 1}" and 
On'.P {0,1}". The function On is defined in a deterministic way and is 
injective (no collisions can be found inside S), while Of^ is a random oracle 
(obviously collision-resistant!). In addition, if n = Ak, then we embed a chain- 
finding adversary for O^ into Of^, which means that O can find chains for itself 
and is thereby not chain-resistant. 

First of all, we define (for n = Ak) an oracle ^„:{0,1}^” ^ {0,1}" that 
can be used to find chains for Ok- The oracle An allows input pairs of the form 
(Q2'=a;0'=-'"1'", where x G {0, 1}'= and m G {0, . . . , k}. The set D 

of all such pairs has exactly {k-\- 1)2* elements. Let be the root of Mk (which 
has been already defined) . On input of such form, the oracle An finds (based on 
Mk) z G ({0, 1}*)*, such that Fo{x] x; z) = rk- We define An as follows: 



yl„(02*a;0*-'"l’”, 0*l*x0*-’”l’”) 



l*x0*-’”l'"a; ifm = 0, 
l*x0*-’”l'"z^ if TO G {1, . . . , A:} . 



Obviously, An is injective and its values never coincide with the allowed 
inputs. 

Now we are ready to define O^- We begin with the case n yf Ak, which is 
considerably easier, because there is no need to embed An into Of. To define Of 
as an injection, it is sufficient to assign different n-bit strings to all 2" — 1 internal 
vertices of M„. However, care must be taken that no sibling pairs (including the 
leaf sibling pairs) coincide with other pairs, because otherwise we may have a 
contradictory definition - different values are assigned to the same input pair. 
Such contraditions can be easily avoided if, as opposed to the leaf sibling pairs, 
the elements of internal sibling pairs are in the decreasing order. 

If n = Ak, then we have to embed An as a function into Of. There are 
2"“^ = 2^*“^ second layer pairs in Mn and (fc-|- 1)2* arguments of An (elements 
of D). As (fc-k 1)2* < 2'^*“^ for any fc > 0, there is an injection e: D ^ {0, 1}"“^ 
and we can embed D into the set of second layer pairs of Mn, so that for each 
X G {0,1}* and to G {0,...,fc} there is t = e{x,m) G {0,1}"“^, such that 
0(200,201) = 0^*a;0*-'"l™ and 0(210,211) = 0*l*x0*-™l’”. Now we apply 
An to the second layer pairs in e{D) and store the values into Mn as third 
layer vertices. Note that if A: > 1, then there are still some second layer pairs 
for which the value of O has not yet been defined. Note also that all non-leaf 
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vertices defined thus far are different and hence to conclude the definition of O^, 
we define (in arbitrary way) the values of other vertices (not yet defined) so that 
all non-leaf vertices are different and hence Of is injective. 

As said above, for every n we choose Of uniformly at random from the set 
of all functions P {0, 1}". Now we can do it because P is fixed after the 
procedure above. Like in Lemma 5, we can show in a similar fashion that O is 
collision resistant but not chain-resistant, because 04 k can be used to find chains 
for Ofc (for any fc > 0) and therefore also a time-stamping scheme that uses O 
as a hash function (and (1) for verification) is insecure. 

Corollary 2. Semi black-box self reductions cannot prove that collision-resis- 
tance of h implies chain-resistance of h. 

6 Discussion and Open Problems 

More Efficient Reductions. The reduction established in the proof of Theo- 
rem 1 does not give sufficient security guarantees for practical time-stamping 
schemes. To show this, assume that k = 160 (output size of SHA-1) and that 
there is an adversary A = (Ai,A 2 ) with running time T(k) = 2^® and with 
success probability 6{k) = 2“^® « 1/65000. Hence, the time-success ratio is 
T{k)/6{k) = 2®^. If the time unit denotes the time elapsed for one hash oper- 
ation and a computer performs 10,000 hash operations per second, then T{k) 
is about six seconds. For practical time-stamping schemes, an attack with such 
ratio is considered very serious. Now let us examine the consequences of The- 
orem 1. Assume that the collision-finding adversary A' is implemented very ef- 
ficiently, so that T'{k) = 2T{k). By Lemma 2, the time-success ratio of A' is 
^ ^ ‘^'s‘2{k) ~ which is close to the birthday barrier and 

says nothing essential about security - any 160-bit hash function can be broken 
with that amount (2®^) of computational resources. Hence, even the highest se- 
curity of h does not exclude the attacks with ratio 2®^. The reduction gives prac- 
tical security guarantees only in case k > 400, which is much larger than used in 
the existing schemes. Therefore, it would be very desirable to find more efficient 
reductions, say the linear-preserving ones [10], in which 

Constructions of Chain- Resistant Hash Functions. We leave open the existence 
of efficient constructions of chain-resistant hash functions, possibly as atomic 
primitives. While we proved that collision-resistance does not imply chain- 
resistance, it is still unknown whether there exist more general black-box 
constructions {g = P^) of chain-resistant hash functions {g) based on a collision- 
resistant one {h). In case such constructions exist, it would be sufficient to just 
replace the hash functions in the existing schemes. 

Another interesting research topic is attempts at the opposite: to prove that 
there exist no general black-box constructions of chain-resistant hash-functions 
based on collision-resistant ones. It would be sufficient to find an oracle O relative 
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to which there exist collision-resistant hash functions while no function is chain- 
resistant. Inspired by the work of Simon [13] it may seem tempting to define an 
oracle O capable of finding chains to any computable /: {0, 1}^* ^ {0, 1}*^, the 
description of which is given to O as an argument. However, there seem to be no 
obvious ways of doing this. For example, if O is able to compute the root of the 
complete Merkle tree for any (computable) hash function /, then one can 
show that such O can also be “abused” to find collisions for any hash function. 

At the same time, it seems very likely that the oracle used by Simon [13] (to 
prove that collision-resistant hash functions are not black-box constructible from 
one-way functions) is also sufficient for showing that collision-resistant hash- 
functions cannot be constructed from the chain-resistant ones. 

Stronger Security Conditions. The chain-resistance condition is still too sim- 
plistic, considering some scenarios that are very likely to happen in practical 
implementations of time-stamping schemes. Instead of having unconditional un- 
certainty about X, it is possible that Ai has some partial knowledge y = f{x) 
about X (e.g. ciphertexts or signatures). This suggests a stronger condition: 

Definition 6. A function h is universally chain-resistant if for any (proba- 
bilistic) function f and for any poly-time adversary A = (Ai, A 2 ) with success 
6 = Pr[x ^ V,{D\, a) ^ Ai{f{x)), {n, z) ^ A 2 {x, a): Fh{x',n] z) G 91] = 
there is a poly-time A' with success Pr[x ^V,x' ^ A'{f{x)):x' = x] = 

Loosely speaking, if x can be time-stamped based on t/ = f{x), then x can 
be efficiently computed based on y, and hence the time stamp is “legitimate”. 
This condition implies chain-resistance if we define f{x) = 1^. 

Though the universal chain resistance condition seems natural, it is probably 
not achievable. To see this, assume that h is one-way even if one of the arguments 
is revealed to the adversary, i.e. every A' G FP has success 

6'{k) = Pr[{x, z) ^ U 2 k,x' ^ ^'{h{x, z), z):x = x'] = . (6) 

This assumption is intuitively assumed to hold in the case of conventional 
hash functions. Let / be a probabilistic function such that (h{x,z),z) <— f{x), 
where 2 ; ^ Uk; and let A = (Ai,A 2 ) be defined as follows: {{y},z) <— Ai{y,z), 
and (0, z) ^ A 2 {x,z). Clearly, the success of A (in the sense of universal chain 
resistance) is ^ = 1, while no adversary A' can efficiently invert /. Therefore, 
no functions that are one-way in the sense of (6) are universally chain resistant, 
which means that this is a very strong security requirement. Even if h is de- 
fined as a random oracle, it is still insufficient for the universal chain-resistance. 
Nothing changes if the set of valid identifiers is polynomially restricted. 
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A Proof of Lemma 2 

Let Pr[m,m,a] = Pr[(m,%a) ^ Ai(l'=): 91 = 94, ^ = Tl, a = a] and 

Pr[Brk I 91, 91, a] = Pr[X ^V, {n, z) ^ A 2 (X,a): Fh{n{X);n; z) nCOl] . 

By definition, Pr[Brk 1 91, 91, a] is the conditional success of (Ai, A 2 ), assuming 
that Ai outputs (91,91, a). Thus, 6{k) = ^3^^^Pr[91,91,a] • Pr[Brk |91,91,a], where 
the sum is computed over all possible outputs of Ai(l*^). Let 

Pr[Brk(/9,n) 1 91,91,a] = PrlX^V ,(n,z) ^ k 2 {X,a)-. 1^/1(71(90 ;n;z) = pG 91, n = nC 91] 

be the conditional probability of success with additional condition that the iden- 
tifier (output by A 2 ) is n and the result of the hash chain is p G 91. Now assume 
that A' has finished and hence the following computations have been performed: 
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(-rR m ^ A ^ ^ ^ (^z) ^ A2(A:,a) Fh{H{X);n-^) 

^ rtiU X' {n',z') ^ A2{X',a)^ p' = Fh{n{X')-,n'-,z') . 

Let Coll denote the event that A' finds a collision and let Coll' denote the event 
that A' finds a collision so that p = p' S 94, n = n'. By Lemma 1, the event Coll 
is a superset of Coll' n {'H{X) yf Ti.{X')). Hence, the success F{k) = Pr[Coll'] of 
A' satisfies 



5'{k) > Pr[Coll' n {n{X) yf n{X'))] = l - Pr[(-Coll') U {U{X) = n{X'))] 

> 1 - (1 - Pr[Coll']) - Pr[H{X) = H{X')] = Pr[Coll'] - Pc(P) ■ 

Therefore, it remains to estimate Pr[Coll']. Let Coll'(n,p) denote the product 
event Coll n (n = n' = n) n (p = p' = p). From the independence of the two runs 
of A 2 it follows that Pr[Coll'(n, p) | 94, 91, a] = Pr^[Brk(n,p) | 94, 91, a] and hence. 



Pr[Coll' I 94, 91, a] = ^ Pr[Coll'(n, p) | 94, 91, a] = ^ Pr^[Brk(n, p) | 94, 91, a] 

n,p n,p 

= ^Pr2[Brk|94,91,a]-Pr^[n,p|94,91,a,Brk] = Pr^[Brk|94,91,a]-^Pr^[n,p|94,91,a,Brk] 

n,/9 n,p 

> Pr^[Brk I 94, 91, a] • > Pr^[Brk | 94, 91, a] • ^ , 



where the first inequality holds because P I 94, 91, Brk, a] = 1 and 

2 

for any probability space T, we have second inequality 

follows from the observation that 94 and 91 are produced by the adversary and 
hence their size cannot exceed the running time. Therefore, 



Pr[Coll'] 



X;Pr[94,91,a]-Pr^[Brk|94,91,a] 



T^{k) 



^(Pr[94,91,a]-Pr[Brk|94,91,a])^ 
- T 2(^0 



6‘^(k) 



which follows from the Jensen inequality. 



□ 
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Abstract. We consider the problem of securely computing the Greater 
Than (GT) predicate and its generalization - securely determining mem- 
bership in a union of intervals. We approach these problems from the 
point of view of Q-Conditional Oblivious Transfer (Q-COT), introdnced 
by Di Crescenzo, Ostrovsky and Rajagopalan [4]. Q-GOT is an oblivi- 
ous transfer that occurs i/f predicate Q evaluates to true on the parties’ 
inputs. We are working in the semi-honest model with computationally 
unbounded receiver. 

In this paper, we propose: (i) a stronger, simple and intuitive definition 
of COT, which we call strong COT, or Q-SCOT. (ii) A simpler and 
more efficient one-ronnd protocol for secnrely computing GT and GT- 
SGOT. (iii) A simple and efficient modular construction reducing SCOT 
based on membership in a union of intervals (UI-SCOT) to GT-SCOT, 
prodncing an efficient one-round UTSCOT. 



1 Introduction 

This work falls into the area of constructing efficient secure multi-party protocols 
for interesting functionalities. The more basic the functionality, the more com- 
mon is its use, and the more significant is the value of any improvement of the 
corresponding protocol. We start with presenting the problems we investigate 
and their motivation. 

The base functionality we consider - Greater Than (GT) - is one of the 
most basic and commonly used. Secure evaluation of GT is also one of the most 
famous and well-researched problems in cryptography. There exist a vast number 
of applications relying on it, such as auction systems or price negotiations. 

Another typical example would be secure distributed database mining. The 
setting is as follows: several parties, each having a private database, wish to 
determine some properties of, or perform computations on, their joint database. 
Many interesting properties and computations, such as transaction classification 
or rule mining, involve evaluating a large number of instances of GT [12, 14]. Be- 
cause of the large size of the databases, even a minor efficiency gain in computing 
GT results in significant performance improvements. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 515-529, 2004. 
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Other functionalities - memberships in a set of intervals and their conjunc- 
tions and disjunctions - are less studied, but nevertheless are very useful. Their 
immediate uses lie in appointment scheduling, flexible timestamp verification, 
expression evaluation, in the areas of computational geometry, biometrics, and 
many others. Certain kinds of set membership problems, as studied by Freedman, 
Nissim and Pinkas [7], can be represented succinctly as instances of problems 
we consider. For example, the problem of membership in a set consisting of all 
even integers on a large interval (j/, z) can be represented as a conjunction of 
two small instances of interval memberships (S = {a;|a;o < 1 A x G (y, z)}, where 
xq is the low bit of x). In such cases, using our solutions may have significant 
advantages over the general set intersection solution of [7] . 

The setting with computationally unbounded receiver (Alice) is very appeal- 
ing, both for oblivious transfer and general computations. Numerous papers 
consider unconditional security against one or more parties, in particular, the 
receiver, e.g. [2,3,5,11,17]. Practical one-round computation with unbounded 
first party (Alice) currently seems to be hard to achieve. The best known gen- 
eral approach [21] offers only polynomial efficiency and only for computing NC^ 
circuits. At the same time, if Alice is bounded, we could use very efficient Yao’s 
garbled circuit approach ([15,17,20,22]) at the cost linear with the size of the 
circuit. We solve the posed problems in the difficult setting (unbounded Alice), 
while achieving performance only slightly worse than the best known approach 
in the easier (bounded Alice) setting. 

1.1 Our Contributions and Outline of the Work 

After presenting preliminary definitions and constructions in Sect. 1.2, we start 
with a discussion of Conditional Oblivious Transfer (COT) (Sect. 2). We wish to 
strengthen the current definition of [4] in several respects. Firstly, we observe that 
the definition of [4] does not require the privacy of the sender’s private input. 
Secondly, we propose and justify the “l-out-of-2” Q-COT, where the receiver 
obtains one of two possible secret messages depending on Q, but without learning 
the value of Q. This is opposed to the “all-or-nothing” approach of [4] where the 
receiver receives either a message or nothing, which necessarily reveals the value 
of Q. Our approach significantly adds to the flexibility of COT functionalities 
and allows for more powerful compositions of COT protocols. We propose a 
definition of strong conditional oblivious transfer (SCOT) that incorporates the 
above observations and some other (minor) points. 

Then, in Sect. 3, we discuss previous work on the GT problem and present 
our main tool - an efficient protocol for computing GT-SCOT built from a 
homomorphic encryption scheme. We exploit the structure of the GT predicate 
in a novel way to arrive at a solution that is more efficient and flexible than 
the best previously known (of Fischlin [6]) for our model with unbounded Alice. 
Additionally, our construction is the first to offer transfer of c-bit secrets, with 
c « 1000 for practical applications, at no extra cost, with one invocation of the 
protocol, as opposed to the necessary c invocations of Fischlin’s protocol. This 
results in additional significant efficiency gains. 
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Then, in Sect. 4, we show how to use the bandwidth of our GT-COT solu- 
tion and present protocols for efficiently computing SCOT based on the interval 
membership (I-SCOT) and SCOT based on the membership in a union of k 
intervals (fc-UI-SCOT). Because of their modularity, these protocols can also be 
constructed based on Fischlin’s solution at the efficiency loss described in the 
previous paragraph. Because they leak the private inputs of the sender, we do 
not know of an efficient way to extend solutions of [4] to compute these func- 
tionalities. We remark on how to use UI-SCOT to compute the conjunction or 
disjunction of the memberships in unions of intervals. Finally, we compare and 
summarize resource requirements of schemes of Fischlin, Di Crescenzo et ah, and 
ours in the Table in Sect. 4.2. 

1.2 Definitions and Preliminaries 

We start by introducing the necessary terminology and notation, and refer the 
reader to Goldreich [9] for in-depth discussion. We are working in a setting 
with two semi-honest participants, who use randomness in their computation. 
By a two-party functionality we mean a possibly random process that maps 
two inputs to two outputs. We denote the view (i.e. its randomness, input and 
messages received) of a party P executing a protocol U with a party R on 
respective inputs x and y by VIEWp(a;, y). We note that VIEWp(a;,y) is a 
random variable over the random coins of P and R. 

We stress that although our constructions and analysis are presented for 
a fixed security and correctness^ parameters v and A, we have in mind their 
asymptotic notions. Therefore, for example, when talking about a view of a 
party VIEWp(a:,y), we mean an ensemble {VIEWp (x, of views. 

We denote statistical closeness of ensembles of random variables X and Y 
hy X = Y and their computational indistinguishability hy X = Y. We say 
a function fj, : N R is negligible if for every positive polynomial p(-) there 
exists an N, such that for all n > < l/p{n). We say a probability is 

overwhelming if it is negligibly different from 1. 

Homomorphic Encryption. Our constructions use semantically secure pub- 
lic key probabilistic additive homomorphic encryption. Informally, a scheme is 
probabilistic (or randomized), if its encryption function uses randomness to en- 
crypt a plaintext as one of many possible ciphertexts. It allows re-randomization 
if a random encryption of a plaintext can be computed from its ciphertext and 
the public key. In our work, we will rely on the unlinkability of encryptions 
of the same message. An encryption scheme (G, E, D) is homomorphic, if for 
some operations 0 and 0 (defined on possibly different domains), it holds that 
D{E{x (By)) = D{E{x) (BE{y)). A scheme is called additively (multiplicatively) 
homomorphic if it is homomorphic with respect to the corresponding operation 
(e.g. additive scheme allows to compute E{x 0 y) from E{x) and E{y)). Many 
of the commonly used schemes are homomorphic. For example, the ElGamal 
scheme is multiplicatively homomorphic, and Goldwasser-Micali [10] and Pail- 



^ Correctness parameter specifies the allowed probability of error in the protocols. 
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Her [18] schemes are additively homomorphic. Unfortunately, it is not known 
whether there exists a scheme that is algebraically (i.e. both additively and mul- 
tiplicatively) homomorphic. We note that an additively homomorphic scheme 
allows multiplication by a known constant, i.e. computing E{cx) from E(x) and 
c, via repeated addition. 

The Paillier Cryptosystem. Our protocols require an additional property of 
the encryption scheme: the large plaintext size, or bandwidth. The Paillier scheme 
[18] satisfies all our requirements, and we will instantiate all our protocols with 
it. We present it for completeness, but omit the number-theoretic justification. 

Key generation: Let N be an RSA modulus N = pq, where p, q are large 
primes. Let g be an integer of order Na modulo N'^, for some integer a. The 
public key pk = (N,g) and the secret key sk = \{N) = lcm((p — 1), (g — 1)), 
where A(iV) is the Carmichael’s lambda function. 

Encryption: to encrypt to S compute Enc(TO) = g'^r^ mod iV^, where 

Decryption: to decrypt a ciphertext c, compute to = A(gA(jv) ^ mod iV, 

where L{u) = takes as input an element from the set Sn = {u < N“^\u = 1 
mod N}. 

Re-randomization: to re-randomize a ciphertext c, multiply it by a random 
encryption of 0, i.e. compute cr^ mod IV^, for r Gr ^n- 

The underlying security assumption is that the so-called composite residuos- 
ity class problem is intractable (called the CCRA assumption). It it potentially 
stronger than the RSA assumption, as well as the quadratic residuosity assump- 
tion, used in [6]. We refer the interested reader to [18] for further details. 

2 Strong Conditional Oblivions Transfer 

The notion of COT was introduced by Di Crescenzo, Ostrovsky and Rajagopalan 
[4] in the context of timed-release encryption. It is a variant of Oblivious Transfer 
(OT) introduced by Rabin [19]. Intuitively, in COT, the two participants, a 
receiver R and a sender S, have private inputs x and y respectively, and share 
a public predicate S has a secret s he wishes (obliviously to himself) to 

transfer to R iff Q{x, y) = 1. If Q(x, y) = 0, no information about s is transferred 
to R. R's private input and the value of the predicate remain computationally 
hidden from S. 

2.1 Our Definitions 

We start by describing several ways of strengthening the existing definition with 
the goal of increasing modularity and widening the applicability of SCOT pro- 
tocols. Our own construction for UI-SCOT, for example, requires its building 
blocks to have the proposed features. 
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First, while sufficient for the proposed timed-release encryption scheme, the 
definition of [4] lacks the requirement of secrecy of the sender’s private input. 
We would like the new definition to include this requirement. 

Secondly, we prefer the “l-out-of-2” approach. In our proposed setting, the 
sender possesses two secrets sq and si, and wishes (obliviously to himself) to send 
Si if Q{x, y) = 1, and to send sq otherwise. Unlike the COT “all-or-nothing” def- 
inition, this allows SCOT protocols to have the property of not revealing Q{x, y) 
to the receiver. This proposal strengthens the definition since while a SCOT 
protocol can be trivially modified to satisfy COT definitions of [4], the opposite 
does not (efficiently) hold^. Further, note that it follows from our requirements 
that a Q-SCOT protocol can be trivially modified into a (^Q)-SCOT protocol. 
This also does not hold for COT. We will use this important property in our 
constructions later in the paper. 

Finally, as a minor point, we only require statistical, as opposed to perfect, 
correctness and security against R, to allow for easier analysis of the protocols 
and wider applicability of the SCOT notion. 

We now present our definition. Let sender S and receiver R be the partic- 
ipants of the protocol. Let v be the security parameter and A be the correct- 
ness parameter, upperbounding error probability by 0(2“^). Let Dj and Ds 
be the respective domains of parties’ private inputs and sender’s secrets. Let 
di = \Di\ and ds = iL^sl. We assume that both domains are known to both 
parties. Let R have input x € Dj, and S has input {y € H/,so,si G Ds). Let 
Q : Dj X Dj 1 -^ {0, 1} be a predicate. Consider the SCOT functionality: 



Functionality 1 



fQ-SCOT{x, {y, So, Si)) 



(si, empty string) 
(sq, empty string) 



ifQ{x,y) = 1, 

otherwise 



( 1 ) 



There are many models in which we can consider computing this functionality. 
Each of the two parties may be malicious or semi-honest and each party may or 
may not be computationally limited^. We wish to give one definition that refers 
to all possible models and rely on existing definitions of secure computations in 
these models. We refer the reader to Goldreich [9] for in-depth presentations of 
definitions of security in many interesting models. 

Definition 1. (Q-Strong Conditional Oblivious Transfer) 

We say that a protocol II is a Q-strong conditional oblivious transfer protocol 
with respect to a given model, if it securely implements functionality /q-scot 
(1) in the given model. 

We note that this general definition covers the case when Q is probabilistic. 



^ Clearly, because secure multi-party computation can be based on OT (Kilian [13]), 
COT implies SCOT. This solution, however, is inefficient. 

® Of course, in some of the combinations it is not possible to have nontrivial secure 
SCOT protocols, such as when both parties are computationally unlimited. 
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One of the more practical and interesting settings is the model with the semi- 
honest unlimited receiver, semi-honest poly time sender and deterministic Q. We 
discuss our constructions in this model, and thus wish to explicate the definition 
for this setting. 

Definition 2. Let receiver R, sender S, their inputs x and y, secrets si and 
So, unary parameters v and X, and predicate Q be as discussed above. We say 
that n is a strong conditional oblivious transfer protocol for predicate Q in the 
semi-honest model with computationally unlimited receiver and polytime sender 

if 

— Transfer Validity. With overwhelming probability in X: If Q{x,y) = 1, R 
obtains si, otherwise R obtains sq. 

— Security against R. (R obtains essentially no information other than the 
transferred secret) There exists a simulator Sim^^, such that for any x, y, s, s' 
from appropriate domains: 

ifQ{x,y) then {Simi^(x, s)},, = {VIEW^(a;, (j/, s', s))}i, 
if^Q{x,y) then {Simi?(a:, s)}i, = {VIEWjJ(cc, (y, s, s'))},. 

— Security against S. (S gets no efficiently computable information about x) 
There exists an efficient simulator Sims, such that for any x, {y, sq, si) from 
appropriate domains: 

{Simsiy, So, Si)},. = {VIEW^ (a;, {y, Sq, Si))},,. 

As further justification, we wish to point out an interesting use of Q-SCOT 
protocols. When sufficiently long secrets are chosen randomly by S, upon com- 
pletion of a Q-SCOT protocol, R does not know either the value of Q, or the 
non-transferred secret. Thus this can be viewed as a convenient way to share the 
value of Q among R and S. Further, the secret that R received may serve as a 
proof to S of the value of Q. This is not possible with COT, as R is only able 
to provide such proof if Q{x,y) = 1. 



3 The GT-SCOT Protocol 

Research specifically addressing the GT problem is quite extensive. It was con- 
sidered (as a special case) in the context of general secure multi-party com- 
putation [1, 15, 17, 20, 23, 22], whose solution is now well-known and celebrated. 
This general approach is impractical. However, because the circuit for comput- 
ing GT is quite small, it is the best currently known one-round solution in the 
model with the computationally bounded Alice. As people searched for efficient 
solutions to special classes of problems in different models, more efficient GT so- 
lutions implicitly appeared. Naor and Nissim [16] presented a general approach 
to securely computing functions with low communication overhead. While the 
application of their solution to GT is quite efficient in the message length, it 
needs at least 0(logn -I- log ^) l-out-of-O(n) oblivious transfers and the same 
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number of rounds, where e is the tolerated probability of error. Sander, Young 
and Yung [21] showed that all functionalities in NC^ (including GT) can be 
computed by a one-round poly time protocol. Their solution is secure against 
unbounded Alice. Unfortunately, when used with the natural shallow GT cir- 
cuit‘d (which seems to be optimal for their approach), it requires at least n'^ 
modular multiplications and log N communication (where n is the input size, 
and N is the GM modulus used). 

Finally, in 2001, Fischlin [6] proposed a solution that significantly reduced 
the number of modular multiplications, while also reducing the message size 
and maintaining the minimal one-round efficiency. This is the best previously 
known solution to the GT problem in the model with unbounded Alice. The 
number of modular multiplications required to complete his protocol is 8nA, 
where 2~^ is the allowed error probability. The message complexity (in bits) is 
nlogiV(A-|- 1). Fischlin also extends this protocol (at the cost of approximately 
doubling the communication and computation costs) to satisfy our definition of 
GT-SGOT, with the exception of leaking the value of the predicate. We remark 
that this extension can be further extended to fully satisfy our definitions at the 
expense of further approximately doubling the communication and computation 
costs. 

3.1 Our Construction 

Our constructions use semantically secure additively homomorphic encryption 
schemes with large message domains. For the ease and clarity of presentation 
and to enable resource analysis, we “instantiate” our protocols with the original 
Paillier scheme. We remark that the Paillier scheme has received much attention 
in the literature recently, and several variants, including an elliptic curve version 
[8], have appeared. Using more efficient implementations may further improve 
our results. 

Let (Gen, Enc, Dec) be the instance generation, encryption and decryption 
algorithms, respectively, of such a scheme. As in Definition 2, let i? and S be the 
receiver and the sender with inputs x and y respectively and common parameters 
ly and A. Let x,y € Dj and sojSi G Ds- Let ds = [Dg] and, without loss of 
generality, d/ = |D/| = 2”. 

Throughout this section, we will work with numbers which we will need 
to represent as binary vectors. For a; G IN, unless specified otherwise, Xi will 
denote the most significant bit in the n-bit binary representation of x, in- 
cluding leading zeros, if applicable. Where it is clear from the context, by x 
we may mean the vector < xi, X 2 , ■■■, Xn >, and by Enc(x) we mean a vec- 
tor < Enc(a;i),Enc(a; 2 ), ■•■,Enc(x„) >. We will also write Enc(a:) instead of 
EnCpfc(a;), where pk is clear from the context. 

For the clarity of presentation, we describe the setup phase outside of the 
protocol. We stress that it is run as part of R’s first move, and in particular, 
after the parties’ inputs x, and {y, sq, si) have been fixed. 



^ The circuit based on the formula used by Fischlin’s protocol [6]. 
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Setup Phase. R sets up the Paillier encryption scheme with group size N = pq 
by running Gen and generating secret and public keys (sk and pk). He chooses 
the number of bits in N to be max{i^, [dsl + A}. 

We will view Ds as a subset oi ZZ m, and will perform operations on elements 
oi Ds modulo N . 

Observation 1. We envision the following practical parameter choices for our 
GT protocols. First, choose N and A to satisfy the security and correctness re- 
quirements of the encryption scheme. In practice, logiV(« 1000) A(« 40. .80), 

so we set |(is| = logA^— A > 900 bits of the bandwidth of the encryption scheme 
to be used for sending secrets. If Ds needs to be much larger than that, it may be 
more practical to split it in blocks of size |ds| and run GT-SCOT several times. 
Ghoosing parameters in this manner also simplifies comparison of our results to 
others, and we follow this approach in Sect. ^.2. 

Observation 2. There is a negligible (in A) minority of elements of Ds in the 
group of size N. 

For our protocols, we are only interested in binary comparisons, i.e. one of 
{>, <, <, >}. We can trivially reduce {>, <} to {>, <}. Furthermore, we assume 
that X ^ y. This can be enforced by mapping, for instance, x 2x, y 2y 1. 
The mapping can be done entirely by S. Similarly, we assume that sq 7 ^ si- The 
case when sq = si can be reduced to the sq yf si case by, for example, S setting 
y = maxjiA/} and si Gr Ds \ {so}> ensuring that x < y and sq is always sent. 

We now present the GT-SCOT construction. The intuition behind each step is 
presented immediately below, in the proof of the corresponding security theorem. 

Construction 1. (Gomputing Functionality GT-SGOT) 

1. R runs the setup phase, then encrypts each bit Xi of x with the generated pk 
and sends {pk, Enc(xi), ..., Enc(xn)) to S. 

2. S computes the following, for each i = l..n: 

(a) an encryption of the difference vector d, where di = Xi — pi. 

(b) an encryption of the flag vector f , where fi = Xi XOR pi = {xi — yf)'^ = 

Xi - 2xiPi Pi. 

(c) an encryption of vector 7 , where 70 = 0 and 74 = 27^-1 -|- fi. 

(d) an encryption of vector 6, where 6i = di~\- ri{ji — 1), where ri Gr ^n- 

(e) a random encryption of vector p, where pi = ^^ 2 ^° + 2 J-±^ 

and sends a random permutation Tr{Enc{p)) to R. 

3. R obtains n{Enc{p)), decrypts it, and determines the output as follows: if p 
contains a single v G Ds, output v, otherwise abort. 

Theorem 1. The protocol of Gonstruction 1 is a GT-SGOT protocol in the 
semi-honest model, assuming semantic security of the employed encryption 
scheme. 

Proof. (Sketch): We will now show that the protocol correctly computes the 
desired functionality. It is easy to see that the homomorphic properties of the 
encryption scheme allow S to perform all necessary operations. In particular, 
step 2b is possible because pi are known to S. 
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Observe that the flag vector / is a {0, l}-vector, with the ones in positions 
where x and y differ. Furthermore, 7 is a vector with the following structure: it 
starts with zero or more zeros, then a one, then a sequence of non-ones. Moreover, 
with overwhelming probability the non-zero elements (7^ — 1) are not multiples 
of either p or q, i.e. are in This is because the fraction of multiples of p or 
(7 in Zjv is negligible, and p and q are chosen randomly and independently of x 
and y. 

Let indi be the (only) position where 7indi = 1- This position is where x and 
y first differ, and thus c?indi determines GT(x, y). The transformation (7, d) — > ^ 
of step 2d randomizes all coordinates of 6, while setting di„di to the value of 
dindi- Because, with overwhelming probability, (74 — 1) G niultiplying it by 
Xi randomizes 6 perfectly va ZZjs[. 

With overwhelming probability, the transformation (d, So,Si) ^ /i of step 
2e is a permutation an. ZZjsi that maps —1 sojl si. Indeed, it is not 
such a permutation only when (si — sq) is a multiple of p or q, the event that 
occurs with negligible probability, because p and q are are chosen randomly 
and independently of si and sq. This permutation preserves the randomness 
properties of all elements of the vector, and (as is easy to verify) performs the 
mapping we are looking for. The random re-encryption step hides the information 
that may be contained in the randomness of the encryption. Finally, the random 
permutation 7r(/i) of step 2 hides the index of the determining di. 

It easily follows from Observation 2 that the probability that there is not 
exactly one element of size [dsl in the decrypted by R vector, is negligible. Thus, 
with overwhelming probability, R terminates and outputs the correct value. 

Security of R (against the semi-honest S) trivially holds because of the se- 
mantic security properties of the employed encryption scheme. 

We now prove security of S against an unlimited semi-honest R by construct- 
ing a protocol view simulator Simfl(a;, s), where x is the input, and s is the output 
of the protocol. Sim/j(x, s) has to generate a distribution statistically close to the 
view of i? in a real execution - VIEWi?(a;, (y, sq: si)) = {cc, r, Enc(7r(/r))}, where 
r is the randomness used by R to generate pk and sk (of the setup phase) and 
the random encryptions of the first message, and 7r(/i) is defined in the protocol 
construction. Simfl(x, s) proceeds as follows. It first generates a random string 
r' of appropriate length (to match r). It uses r' to compute the keys sk and 
pk (including N). It then computes a candidate fjf: for i = I..n, pick random 
/i' Gr Zn- It then replaces a random element of fj! with the received s, and 
outputs {x, r', EnCpfe/(/i')}, where EnCpfe/(/i') is a vector of random encryptions 
of coordinates of p! under the pk' . Because of the previously presented argu- 
ments of the randomness of all elements of 7r(/i) (other than the one that carries 
the secret) and the randomness of re-encryption, it is easy to see that Sim^j 
generates a distribution statistically close to the view of R. We note that the 
simulation is not perfect, since the transfer of the other secret is possible during 
the real execution, with negligible probability. □ 

We observe that a GT-SCOT protocol, such as presented above, immediately 
implies solution to GT, in the semi-honest model. Indeed, running GT-SGOT 
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with at least one of the secrets Si known to R (say si = 1), immediately yields 
the desired functionality. Moreover, for GT, the transformation of step 2e is 
unnecessary (while the re-randomization of the same step is still required). 

3.2 Resource Analysis 

We evaluate the message and modular multiplication efficiency of our construc- 
tion based on the use of Paillier encryption scheme. We note that we do not 
include the relatively small computational cost of key generation, to be consis- 
tent with the compared results of [4] and [6]. Let n be the length of inputs x 
and y in binary, iV-the size of the plaintext domain of the Paillier scheme. Then 
message complexity of Construction 1 is / = 2nlog(lV^) = 4nlog A bits. 

Let w = w{y) < n he the weight (i.e. the number of ones) of the binary 
representation of y. To encrypt each bit, log A multiplications are required. 
Observe that it is not necessary to perform expensive randomized encryption in 
the intermediate steps of S. This allows us to make do with only w multiplications 
for each of the steps 2a, 2b, 2n - for step 2c, and (log A -|- 2)n - for step 2d, and 
(|si| -I- log A)n < 2nlog A - for step 2e of the protocol. We note that if we do 
not perform the transformation of step 2e (when, for example, computing GT), 
we only need nlog A multiplications for the last step. 

Decryption takes 2nlogA multiplications. Thus, in total, the protocol re- 
quires no more than (5n-|-l) log A-|-6n modular multiplications ((4n-|-l) log A-|- 
6n for GT). We stress that transferring up to log A — A bit secrets requires the 
same resources. We observe that the encryption and re-encryption multiplica- 
tions can be precomputed once the encryption scheme is initialized. 

We now compare the efficiency of our approach to that of Fischlin [6], using 
appropriate parameters. We first note that in practice, no known attack on the 
Paillier system is better than factoring the modulus A. Glearly, factoring based 
attacks would also be effective against the GM scheme with the same modulus 
size. Thus, having already assumed GGRA (see Sect. 1), we also assume that 
the security of Paillier and GM schemes with the modulus of the same size are 
approximately the same. 

Gompared with [6], our scheme offers a factor of A/4 improvement in message 
complexity: ((4nlogA) vs (nlogA(A-|- 1)) bits). We pay higher cost in the 
number of modular multiplications: ((4n -I- 1) log A -|- 6n) vs (6nA) . Additionally, 
our multiplications are four times slower, since we are working with modulus 
length twice that of the Goldwasser-Micali encryption scheme employed in [6]. 
These comparisons are summarized in the Table in Sect. 4.2. 



4 SCOT for Unions of Intervals 

In this section we present new efficient protocols for I-SGOT (SGOT based on 
the membership in an interval) and UI-SGOT (SGOT based on the membership 
in a union of intervals), both of which are generalizations of GT-SGOT. We build 
these protocols on our GT-SGOT solution. While other GT-SGOT approaches 
(such as based on Fischlin’s protocol) are also suitable for these constructions. 
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our solution is simpler and produces more efficient protocols in terms of both 
multiplication and communication complexity. In our constructions, we denote 
the instance of the Q-SCOT functionality with the secrets SojSi on parties’ 
inputs x,y by Q-SCOT (si |so?Q(a^, J/))- 

In Sect. 4.1 we show how to reduce UI-SCOT to I-SCOT and I-SCOT to 
GT-SCOT. In our model, secure reductions provide us with secure protocols 
when the underlying oracles are replaced by their secure implementations (see 
Goldreich [9] for the composition theorem.) Furthermore, in our model the ora- 
cles’ implementations may be run in parallel, which, with our implementations, 
provides secure one-round protocols for I-SGOT to UI-SGOT. 

4.1 The UI-SCOT Protocol 

Without loss of generality, we assume that the domain of secrets Ds is an ad- 
ditive group® ^ds' additions of secrets will be done in Ds, unless specified 
otherwise. In the I-SGOT setting, S's input xi,X2 G Dj represents an interval 
I, and Si (resp. sq) are to be obliviously transferred if x G I (resp. x ^ I), for 
R’s input X G Dj. The following diagram illustrates the idea of the reduction of 
I-SGOT to GT-SGOT: 

a_i_ 02 

■Sq i-SJ— ®£! . 

Xi i'X2 

bi 62 

Interval I splits Di in three parts, and S wishes to transfer si “on the central 
part” (/) and sq “on the side parts” {Dj\I). The idea is to represent these secrets 
as sums of independently random (i.e. random if taken separately) elements 
{ai,a2,bi,b2 G Ds) which are to be transferred using GT-SGOT. 

Construction 2 . (Reducing I-SCOT to GT-SCOT) 

1. S randomly chooses oi G Ds and sets bi, 02, 62 G T>s to satisfy sq = oi-|-6i = 
02 -b 62 and Si = 02 -b 61 

2. -Reduction: R and S (in parallel) invoke oracles for GT-SC0T{ai\a2‘lx < 
x\) and GT-SC0T{bi\b2'lx < X2). 

3. R obtains a',b' G Ds from GT-SCOT oracle executions and outputs a' -b b' . 



Theorem 2 . The protocol of Construction 2 securely reduces functionality 
I-SCOT to GT-SCOT in the semi-honest model. 

Proof, (sketch): The transfer validity property of this reduction trivially holds. 
Since S does not receive any messages from R or oracle executions, the reduction 
is secure against semi-honest S. We show how to construct Sim/j, simulating the 



® We stress that we use GT-SCOT as black box, and, in particular, addition in Ds is 
unrelated to the corresponding operation in the GT-SCOT implementation. 
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following ensemble (view of R): VIEWi^(x, (a;i, a; 2 , sq, si)) = {x,ri,r 2 }, where 
ri, r 2 are the sent (via the GT-SCOT oracles) ai,bj. Let s be the transferred se- 
cret. Then Simj^(a;, s) = {x, r^}, where r' are independently random elements 

of Ds that sum up to s. Because, by construction, ri,r 2 are also independently 
random with the same sum, Sim/j perfectly simulates view of R. □ 

We now wish to reduce UI-SCOT of polynomially many intervals to I-SCOT. 
Here, S's input represents a set of disjoint intervals {It = {xn,Xi 2 G L?/)}, 
and the secrets sq,si G Ds- S wishes to transfer si if x G [Jh, and transfer 
So otherwise. Let k be the number of intervals in the set (to avoid leaking k 
to R, S can pad it to a known upper bound by adding empty intervals). We 
represent (J li as the intersection of one “regular” and k — 1 “cutout” intervals 
as illustrated on the following diagram. 



sio £n sio 



S21 


S20 


S21 




Sfcl 




Sfco 


Sfcl 


So Si 


So Si 


Si So 


Si So 



The bottom line represents the input set of intervals on the domain, and all 
other lines represent the constructed (by S) intervals that together correspond 
to this set. The Sj are the secrets to be transferred by the UI-SCOT construc- 
tion, and the Sij are the intermediate secrets to be created by UI-SCOT and 
transferred by the existing I-SCOT protocol. Because the input intervals are 
disjoint, the cut out (thin, on the diagram) parts of the constructed intervals do 
not intersect, and thus any x either belongs to all or to all but one constructed 
intervals. 

To reduce UI-SCOT to I-SCOT, we need to choose G Ds based on the 
given Si- Because of the above observation we only need to satisfy the following: 
Si = '*0 = (Xi^j + Sjo,\/j = l..k Observe that the second 

condition is equivalent to requiring si — sq = Sji — Sjo,\/j = l..k. 

Construction 3. (Reducing UI-SCOT to TSCOT) 

U S chooses sn, ..., s^j ^ — ip G/^ Ds and sets S}^i — si j j ^ -i^ s^i cind s^q — 

Sii - (si - so),i = l-.k. 

2. -Reduction: S and R (in parallel) invoke oracles for TSCOT{sn\siQlx G h), 
for each i = l..k. 

3. R obtains ai, ..., G Ds from k oracle executions and outputs Xi 

Theorem 3. The protocol of Construction 3 securely reduces functionality UI- 
SCOT to TSCOT in the semi-honest model. 

Proof. (Sketch): The transfer validity property of this reduction trivially holds. 
Since S does not receive any messages from R or oracle executions, the reduction 
is secure against semi-honest S. We show how to construct Sim/j simulating the 
view of R VIEWi{(a;, y) = {x, ri, ..., r^}, where ri,...,rfc are the oracle sent 
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elements of Ds defined by step 1 of the construction. Let s be the transferred 
secret. Then Simfl(x, s) = {x, ..., r^}, where r' Gr Dr with the restriction 

s = ^ ■ Ti- Sim^ perfectly simulates view of R because both ensembles are {k—l)~ 
wise independent random numbers that sum up to the same value s. □ 

The (f\.Qi(xi,yi))-COT Protocol. We now build f\-Qi{xi,yi))-COT (in 
the sense of [4]) using oracles for corresponding Qi-SCOT. R now has input 
x\, ..., Xn, and S has yi, ..., j/„. S wishes to send a secret s to i? iff /\^{Qi{xi, yi)) = 
1. The idea is to introduce “specialness” of s like we did for GT-SCOT, by, 
for example, extending the domain of secrets Dg to group D'g = , where 

^'s ~ \^'s\ ^ l^sli Then S represents s G Dg as a sum of random secrets 
Si Gr Dg, and runs Qi-SCOT{si\ri?Qi{xi,yi)), where Gr D'g. Indeed, if the 
conjunction holds, then only the Sj’s will be transferred, and they will sum up 
to s G Dg. If any (or any number of) predicates do not hold, one (or more) Ti 
will be transferred, which will randomize (in D'g) the sum obtained by R. 

Construction 4. (Reducing {/\^Qi{xi,yi))-COT to Qi-SCOT) 

1. S chooses n, ...,r„, si, ..., s„_i Gr D'g and sets (in D'g) s„ = s*- 

2. R and S in parallel invoke oracles for Qi-SCOT{si\ri?Qi{xi,yi)), Vi = l..n. 

3. R obtains ai,...,a„ G D'g from the Qi-SCOT oracle executions and sets 
V = ^iOi- R outputs V, if V G Dg, and outputs T otherwise. 

Theorem 4. The protocol of Construction ) securely reduces functionality 
(Ai 2 /i))“C'OT to Qi-SCOT in the semi-honest model. 

Proof: The simple proof is very similar to the previous ones and is omitted. □ 

Corollary 1. There exists (via construction ) and DeMorgan laws) efficient 
one-round protocols for computing conjunction and disjunction of memberships 
in sets of intervals, secure against computationally unlimited R. 

4.2 Resource Analysis 

We continue and expand the resource analysis of Sect. 3.2. Recall that A and v 
are the correctness and security parameters. As discussed in Observation 1, we 
choose V = log A and A as in [6]. This determines the secrets domain Dg to be 
of size As noted in Sect. 3.2, we do not include the cost of key generation 
in any of the compared solutions. 

It is easy to see that Construction 3 makes 2k calls to the underlying A-bit 
GT-COT oracle. Thus, when using our implementation of GT-SCOT, UI-SCOT 
requires sending 8fcn log N bits and performing about 40fcn log N multiplications 
in group of size N. Using A-bit GT-SCOT oracle implementation based on Fis- 
chlin’s GT results in almost full factor of 2k blowup in communication since 
server sends most of the traffic. The 2k factor blowup in the computation also 
seems necessary when using this scheme. 

The following table summarizes the cost of comparable modular multiplica- 
tions and communication of our protocol in relation to others. 
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Protocol 


GT predicate 


c-bit GT-SGOT, c<v-\ 


AUI-SGOT 


mod. mult. 


comm. 


mod. mult. 


comm. 


mod. mult. 


comm. 


of [6] 


8nX 


An log N 


32ncA 


4ncA log N 


64/cnA^ 


8knX^ log N 


of [4] 


8n 


4n log N 


N/A 


N/A 


N/A 


N/A 


our work 


16n log N 


An log N 


20nlog A 


4n log N 


AOknlogN 


8kn\ogN 



We see no obvious way to transform the schemes of [4] to GT-SCOT, and 
thus do not include the corresponding resource calculations. 



5 Conclusions and Future Work 

We presented simple, intuitive and stronger definitions for Q-SCOT. We pre- 
sented a flexible and efficient scheme for securely computing the GT predicate 
and GT-SGOT, in the semi-honest setting with unbounded receiver. We then 
showed simple modular reductions from UI-SGOT to GT-SGOT. In addition to 
the presented results, we noticed that natural efficient variants of our protocols 
are resilient to several natural attacks by malicious receivers. Devising versions 
of our protocols secure in the malicious model is an interesting aspect of further 
consideration. 
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Abstract. In the bare public-key model, introdnced by Canetti et al. 
[STOC 2000], it is only assumed that each verifier deposits dnring a set- 
np phase a public key in a file accessible by all users at all times. As 
pointed out by Micali and Reyzin [Crypto 2001], the notion of soundness 
in this model is more subtle and complex than in the classical model. In- 
deed Micali and Reyzin have introduced four different notions which are 
called (from weaker to stronger): one-time, sequential, concurrent and 
resettable soundness. In this paper we introduce the counter public-key 
model (the cPK model for short), an augmentation of the bare public- key 
model in which each verifier is equipped with a counter and, like in the 
original bare public-key model, the key of the verifier can be used for 
any polynomial number of interactions with provers. In the cPK model, 
we give a three-round concurrently-sound resettable zero-knowledge argu- 
ment of membership for NP. Previously similar results were obtained by 
Micali and Reyzin [EuroCrypt 2001] and then improved by Zhao et al. 
[EuroCrypt 2003] in models in which, roughly speaking, each verifier is 
still equipped with a counter, but the key of the verifier could only be 
used for a fixed number of interactions. 



1 Introduction 

The notion of Zero Knowledge, put forth by Goldwasser, Micali and Rackoff [1], 
has proved to be a fundamental concept in the area of complexity-based cryptog- 
raphy. The original notions of security with respect to malicious provers (formal- 
ized by the soundness requirement) and the security with respect to malicious 
verifiers (captured by the zero-knowledge requirement) only considered a prover 
and a verifier acting in isolation. Recently, the case in which provers and ver- 
ifiers are part of a large system (and thus prover- verifier interactions may be 
interleaved) has been considered and stronger notions of soundness and zero 
knowledge have been proposed. In a sequence of papers the notions of concur- 
rent zero knowledge [2] and resettable zero knowledge [3] were introduced and 
protocols in the standard model were provided [4, 5, 6, 3]. 

P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 530-544, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 
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An important measure of an efficiency of a system is the number of rounds 
needed. Lower bounds for the number of rounds for concurrent and resettable 
zero knowledge have shown that these strong notions of security cannot be imple- 
mented, in the standard model, using a constant number of rounds if black-box 
zero knowledge is sought [7]. Canetti et al. [3] were thus motivated to introduce 
the bare public-key model (the BPK model for short) in which, during a set-up 
stage, each verifier stores in a public file his public key to be used in all sub- 
sequent interactions and keeps secret the associated private key. In this model 
constant-round concurrent and resettable zero-knowledge arguments for all MV 
were shown to exist in [3]. 

Other models have been proposed in order to achieve similar results by focus- 
ing on black-box concurrent zero knowledge, in particular the results of [2, 8, 9] 
in the timing model, those of [10,11] in the common reference string model, 
those of [13] in the preprocessing model, and those of [12] in some partially 
synchronous model. 

Among the different proposed models, the BPK model has the following ad- 
vantages: 1) it is not based on any trusted third party; 2) no timing assumption 
is made; 3) the set-up stage is non-interactively performed only by the veri- 
fiers. Consequently, the public-key model is, from among the currently proposed 
models, the one that makes the least set-up assumptions and, in particular, it is 
weaker than the widely accepted Public Key Infrastructure model. 

Subsequently to the introduction of the BPK model, Micali and Reyzin [14] 
noticed that, unlike in the standard model for interactive zero knowledge, dis- 
tinct notions of soundness arise depending on whether the verifier’s public key 
is used for once (one-time soundness), for polynomially many sequential argu- 
ments (sequential soundness), for polynomially many concurrently interleaved 
arguments (concurrent soundness), or whether the prover is allowed to reset 
the verifier to a given state during the interaction (resettable soundness). How- 
ever, they showed that resettably sound zero knowledge cannot be achieved in 
the black-box model for non-trivial languages. Consequently, for black-box zero 
knowledge, the strongest possible notion is that of a concurrently sound reset- 
table zero-knowledge argument. In [14], Micali and Reyzin showed that in the 
BPK model, concurrent soundness cannot be achieved in less than four rounds. 
Moreover they showed that the argument system of Canetti et al. presented 
in [3] is only sequentially sound and the same holds for the four-round reset- 
table zero-knowledge argument presented in [14]. Recently, the existence of a 
constant-round concurrently-sound resettable zero-knowledge argument in the 
BPK model has been proved by [15] where a 4-round concurrently-sound reset- 
table zero-knowledge argument in the BPK model has been given for all AfV 
languages. 

Prior to the work of [15], augmented variations of the BPK model had been 
presented in which constant-round concurrently-sound resettable zero knowledge 
could be achieved. These proposals are interesting, even in light of the result of 
[15], since they achieve three-round concurrently-sound resettable zero knowl- 
edge which is remarkable as no non-trivial (black-box) zero knowledge can be 
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achieved in less than three rounds in any variation of the BPK model [14, 16]. In 
particular, three-round concurrently sound resettable zero-knowledge arguments 
for all NV are possible in the upper-hounded public-key (UPK, for short) model 
(see [17]) and in the weak public-key (WPK, for short) model (see [18]). In the 
UPK model, each public key can be used for a fixed number of arguments to be 
determined during set-up. The verifier is equipped with a counter to keep track 
of the number of arguments he has been involved in. In the WPK model, instead, 
there is a fixed upper bound on the number of times the verifier can be involved 
in sessions regarding the same statement. Thus, also in this model, the verifier 
must have a counter (actually, one for each possible statement). 

Our Contribution. In this paper we introduce the counter public-key (cPK for 
short) model, that is a model weaker than the WPK (and thus of the UPK) model 
and only slightly stronger than the BPK model. The cPK model, like the UPK of 
Micali and Reyzin and the WPK of Zhao et al., is an extension of the BPK model in 
which the verifier is equipped with a counter that, roughly speaking, keeps track 
of the number of sessions that she has been involved with. However, unlike the 
UPK model and the WPK model, each public key of the verifier can be used any 
polynomial number of times exactly like in the original BPK model. Therefore, 
our proposed model, although slightly stronger than the original BPK model, can 
be considered much weaker than the UPK model and the WPK model. Indeed, in 
the cPK model the verifier has no bound on the number of proofs he can engage 
with the provers while in both UPK and WPK models once the bound is reached, 
soundness is not guaranteed to hold. 

We first present a three-round concurrently sound resettable zero-knowledge 
argument of membership for AfV in the cPK model. This construction improves 
the previous works of [17, 18] that achieved the same result but in stronger mod- 
els. We notice that, in the BPK model, concurrent soundness requires 4 rounds. 
Our protocol is based on the existence of sub-exponentially hard primitives, as 
in all previous works for obtaining a constant-round resettable zero-knowledge 
argument in any public-key model. 

Our second construction is a three-round concurrently sound concurrent zero- 
knowledge argument of knowledge for all NV relations in the cPK model under 
standard intractability assumptions. We notice that, in the black-box model, 
resettable zero-knowledge arguments of knowledge exist only for trivial languages 
and thus concurrent zero knowledge is the strongest notion of zero knowledge 
that can be achieved when arguments of knowledge are sought. 

2 The cPK Model 

The cPK model assumes that: 

1. there exists a public file F that is a collection of records, each containing a 
public key; 

2. an (honest) prover is an interactive deterministic polynomial-time algorithm 
that takes as input a security parameter 1", F , an n-bit string x, such that 
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X G L and L is an A/"7^-language, an auxiliary input y, a reference to an 
entry of F and a random tape; 

3. an (honest) verifier V is an interactive deterministic polynomial-time algo- 
rithm that works in the following two stages: 1) in a first stage on input a 
security parameter 1" and a random tape, V generates a key pair (pk, sk) 
and stores pk in one entry of the file F; 2) in the second stage, V takes 
as input the private key sk, a counter value c, a statement “x G L” and a 
random string, then V performs an interactive protocol with a prover , and 
outputs “accept” or “reject”; 

4. interactions between prover and verifier start after all verifiers have com- 
pleted their first stage. 

Definition 1. Given an MV -language L and its corresponding relation Rl, we 
say that a pair {P,V) is complete for L, if for all n-bit strings x € L and any 
witness y such that (x,y) € Rl, the probability that V interacting with P on 
input y, outputs “rejecf’is negligible in n. 

Malicious Provers in the cPK Model. We will give argument systems that are 
sound with respect to s-concurrent malicious provers, for any positive polyno- 
mial s. An s-concurrent malicious prover P* for the complete pair {P* ,V) is a 
probabilistic polynomial-time algorithm that takes as input R’s public key pk, 
and, if P* is concurrently running i sessions, for 0 < z < s(n), P* can pick a 
new statement and a value Ci+i of the counter and start a new session with 
V on input Xi+\ and Cj+i. The only restriction is that, for each value c of the 
counter, P* can only start one session with value c. Also, we allow the malicious 
prover to schedule his messages in the concurrent sessions in any way he wants 
and, for each message of P* , K’s reply is immediately received. 

We stress here that our definition of malicious prover is the same used by L. 
Reyzin (see [16]) for the UPK model. Instead, in [18], the value of the counter 
is assumed to be private to the verifier and the malicious prover has no way of 
manipulating it. Moreover, we stress that in the cPK model there is no bound on 
the number of sessions in which the verifier can be involved, thus the model is 
weaker than the WPK and UPK models and very close to the standard BPK model. 

Given an s-concurrent malicious prover P* and an honest verifier V, a con- 
current attack is performed in the following way: 1) the first stage of V is run on 
input 1" and a random string so that a pair (pk, sk) is obtained; 2) P* is run on 
input 1" and pk; 3) whenever P* starts a new protocol choosing a statement, V 
is run on inputs the new statement, a new random string and sk. 

Definition 2. Given a complete pair (P, V) for an NV-language L in the cPK 
model, then (P, V) is a concurrently sound interactive argument system in the 
cPK model for language L if, for all positive polynomial s, for all s-concurrent 
malicious prover P* , for any false statement “x G L” the probability that in 
an execution of a concurrent attack V outputs “accept” for such a statement is 
negligible in n. 
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The strongest notion of zero-knowledge, referred to as resettable zero knowl- 
edge, gives to a verifier the ability to reset the prover to a previous state. This 
is significantly different from a scenario of multiple interactions between prover 
and verifier since after a reset, the prover uses the same random bits. We now 
give the formal definition of a black-box resettable zero-knowledge argument 
system with concurrent soundness for MV in the counter public-key model. 

Definition 3. An interactive argument system {P, V) in the cPK model is black- 
box resettable zero-knowledge if for any polynomial t{-), and for any probabilistic 
adversary V* running in time t{-), there exists a probabilistic polynomial-time 
algorithm S such that for any polynomial s(-), for any xi, • • • , Xs(n) ^ L of length 
n, the following two distributions are indistinguishable: 

1. the output ofV* consisting of a public file F with s{n) entries and the tran- 
script of a polynomial number of (even concurrent) interactions with each 
P{xi,yi,rg, FA) where yi is a witness for “xi G L”, \xi \ = n, rg is a random 
tape and i specifies an entry of the public file, for ^ < i,l, g < s{n); 

2. the output of S that has black-box access to V* on input X\, . . . ,Xs{n)- 

Moreover we define such an adversarial verifier V* as an (s,t) -resetting ma- 
licious verifier. 

3 Cryptographic Tools 

We review the cryptographic tools that we will use in our constructions. We 
start from the notions of an ry-secure digital signature scheme and of a 7 -secure 
commitment scheme. 

Definition 4. An ry-secure digital signature scheme SS is a triple of algorithms 
SS = (G, Sig, Ver) such that 

1. Correctness: for all messages m G {0, 1}^, 

Pr[(pk, sk) ^ G(l^); rh ^ Sig(m, sk) : Ver(m, m, pk) = 1] = 1. 

2. Unforgeability: for all algorithms A running in time o(2^’’) it holds that 

Pr [(pk, sk) 4 - G(C) ; (m, m) ^ {pk) : m ^ Query and Ver(m, m, pk) = I] 

is negligible in k where C(sk) is a signature oracle that on input a message 
returns as output a signature of the message and Query is the set of signature 
requests submitted by A to O. 

We assume that signatures of fc-bit messages produced by using keys with 
security parameter k have length k. This is not generally true as for each signa- 
ture scheme we have a constant a such that signatures of fc-bit messages have 
length but this has the advantage of not overburdening the notation. It is 
understood that all our proofs continue to hold if this assumption is removed. 

Standard secure signature schemes exist under the assumption of the exis- 
tence of one-way functions [19]. In our case we need the existence of functions 
that are one-way with respect to subexponential-time adversaries. 
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Definition 5. An 7 -secure bit commitment scheme is a pair of algorithms (Com, 
Dec) such that 

1. Correctness: for all b e {0, 1} and for all k, 

Pr[(com, dec) <— Com(&, 1^) : Dec(com, dec, 6) = 1] = 1; 

2. Perfect Binding: for all k, the set of strings com of length k for which there 
exist strings deco, deci such that Dec(com, deco, 0) = 1 and Dec(com, deci, 1) 
= 1 is empty; 

3. Computationally Hiding: the ensembles of random variables 

{[(com, dec) 4 — Com(0, 1*) : com]}^,>o and {[(com, dec) 4 — Com(l, 1*^) : com]}fc>o 

are indistinguishable with respect to algorithms running in time o( 2 ^^); 
Extractability: there exists an extractor algorithm E running in time 2^~' 
such that, for all commitments com computed by a probabilistic polynomial- 
time committer adversary A, if A succeeds in decommitting com as b with 
non-negligible probability, then E(com) = b with overwhelming probability. 

The above definitions can be easily extended to the case in which we wish to 
commit to a string (instead of committing to a bit). Such commitment scheme 
exists, for instance under the assumption that there exist permutations that are 
one-way with respect to polynomial-time adversaries but such that they can be 
inverted in subexponential time. In [20], these type of commitment schemes are 
used in order to achieve straight-line extractability in superpolynomial time. 

Finally, we review the notion of a ZAP[21]. 

Definition 6 . A triple of polynomial-time algorithms {ZG, ZP, ZV) is a ZAP 
for the NP-language L with polynomial-time relation iff: 

1. Completeness: given a witness y for “x G L” and z = ZG{l'^) then 
ZV{x, z, ZP{x,y, z)) = 1 with probability 1. 

2. Soundness: for all x ^ L, with overwhelming probability over z = ZG(l^), 
there exists no z' such that ZV(x, z, z') = 1. 

3. Witness-Indistinguishability: letyi,y 2 such that {x,y\) G Rl and {x,y 2 ) 
G Rl- Then\/z, the distributions on ZP{x,yi,z) and on ZP{x,y 2 , z) are 
computationally indistinguishable. 

In [21] a ZAP is presented under the assumption that non-interactive zero- 
knowledge proofs exist, thus the existence of ZAPs is implied by the existence 
of one-way trapdoor permutations. 

Since we will need ZAPs to be secure with respect to subexponentially strong 
adversaries, we need subexponentially strong versions of these assumptions. 



4 Three-Round Arguments in the cPK Model 

In the cPK model we show that there exist three-round arguments of member- 
ship for all AfP languages that are concurrently sound and black-box resettable 
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zero knowledge. We stress that a concurrently sound resettable zero-knowledge 
argument in the BPK model requires at least four rounds (see [14]) while the pre- 
viously presented three-round protocols require stronger models than the cPK 
model (see [17, 18]). 

Our construction assumes the existence of ?7-secure signature schemes, 7- 
secure commitment schemes, pseudo-random family of functions (which can be 
constructed assuming the existence of one-way functions) and the existence of 
ZAPs secure with respect to subexponential-time adversaries. We use subex- 
ponentially strong cryptographic primitives since we crucially use complexity 
leveraging for our result. 

We then show how to obtain three-round arguments of knowledge for all 
polynomial-time relations that are concurrently sound and black-box concurrent 
zero-knowledge under standard complexity assumptions. We stress that black- 
box resettable zero-knowledge arguments of knowledge are not possible [22, 14], 
that concurrent soundness needs four rounds in the BPK model, and that three 
rounds is optimal for zero-knowledge in any public-key model. 

4.1 Three-Round RZK Argument of Membership in the cPK Model 

In this section we present our construction for the three-round argument of 
membership for all MV in the cPK that is concurrently sound and resettable 
zero-knowledge. Throughout the section, L will be a fixed NV language. 

Our proof system will follow the FLS paradigm for zero knowledge [23] and 
we next define the auxiliary language A = A{L) that we are going to use. 

Definition 7. The 8-tuple r = (x, c, oi, 02, 61, 62, pk) belongs to the language 
A if 

— X G L or 

— there exist oi, 02, oi, «2, ^2, /3i, /32 such that 

1. pk is a public key in the output space o/G(l^); 

2. a\ yf G2 j 

3. (oi, «i) = Com(ai, 1^) ond (02, o;2) = Com(a2, 1^); 

4- (&i,/3i) = Com(&i,l'") and {1)2, P 2 ) = Com(52, l'"); 

5. Ver(oi o c, di, pk) = 1 and Ver(o2 o c, 62: pk) = 1. 

Informally speaking, t = (x, c, 0,1, 0,2, 61, &2, k, pk) belongs to A if x belongs to 
L or if, for i = 1, 2, 6^ is the commitment of a valid signature bi (with respect to 
pk) of the concatenation of message at committed to by Oj concatenated with c. 

Assumptions. In our construction we assume the existence of the following cryp- 
tographic tools. 

1. an ry-secure digital signature scheme SS = (G, Sig, Ver); 

2. a 7-secure commitment scheme (Com, Dec); 

3. a pseudo-random family of functions IF; 

4. a ZAP {ZG, ZV, ZP) for the language A. 
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High-Level Overview. Let k be the security parameter. The public entry of a 
verifier contains a public key pk for a secure signature scheme and the first 
message z of ZAP for A. The actual proof that x G L consists of a first round 
where the prover sends a random message m to the verifier. The verifier replies 
with the current value c (in unary) of the counter and a signature m of m o 
c. The prover first verifies that m is a valid signature and then constructs 4 
commitments oi, 02, &i, &2 of 0 ^. Finally the prover computes the second message 
of the ZAP in which he proves that x G L or that bi and 62 are the commitments 
of valid signatures 61 , 62 of messages ai o c and 02 o c such that oi yf 02 and ai 
and 02 are the messages committed in oi and 02. 

Let us now informally argue the properties of our construction. For the con- 
current soundness we observe that even if the prover opens polynomially many 
concurrent sessions with the verifier, he will receive signatures of messages rel- 
ative to different values of the counter. In particular, the prover will never see 
the signature of two messages with the same value of the counter as suffix. We 
will use a 7-secure commitment scheme along with a ZAP in order to show that 
a prover that proves false statements can be used by a superpolynomial-time 
algorithm in order to break a subexponentially strong assumption. Such a tele- 
scopic use of the hardness of different cryptographic assumptions is referred to as 
complexity leveraging and its power is gaining interest. The use of an extractable 
commitment along with a ZAP is also discussed and used in [ 20 ] . 

For the resettable zero knowledge property, the simulator while interacting 
with the verifier V* will try, by rewinding V*, to get signatures for two messages 
with the same value of the counter as suffix. More precisely, to simulate the proof 
that X G L, the simulator will first ask for the signature of message moc (where 
c is the current value of the counter), then he starts a look-ahead (by rewinding 
V*) in order to obtain the signature of a new message m' oc. Once the signature 
is obtained, the look-ahead ends and the simulator goes back to the previous 
original execution since it is now able to successfully run the third round. 

The crucial observation to show that the simulation ends in expected polyno- 
mial time is that the values of the counters cannot be greater than the running 
time of the adversarial verifier (since V* sends the value of the counter in unary) . 
More precisely, each look-ahead starts after the first signature corresponding to 
a given counter value and to a given public key has been received by S. Since the 
number of public keys is polynomially bounded (the size of the public file does not 
change after the preprocessing stage) and the running-time of an (s, f)-resetting 
verifier is bounded by the polynomial t, we have that the number of look-aheads 
is polynomial. Moreover, each look-ahead starts because a given counter value 
has been sent by V* on input a given transcript. Therefore, the expected number 
of rewinds that will be needed in order to obtain again the same counter (in the 
look-ahead the corresponding signature is asked for a different message) is the 
inverse of the probability that V* plays such a value. Finally, by observing that 
the simulation between two rewinds can be run by S in polynomial time, we 
have that the simulator runs in expected polynomial-time. 
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Formal Description. Let k be the security parameter. The verifier runs the key 
generator G for the 77 -secure signature scheme on input obtaining the pair 
(pk, sk). Moreover, the verifier runs ZG on input and obtains z that will be 
used as the first round of the ZAP for the language A. The entry of the verifier 
in the public file consists of the pair (pk, z) . The private key sk associated with 
pk is kept secret by the verifier. Moreover, the verifier initializes her counter c 
by setting c = 0. The protocol is found in Figure 1. 



Common input: security parameter k, public file F{(pk, 2)} and instance x. 
P’s private input: a witness y for x £ L. 

V’s private input: private key sk and a counter c. 

P-round-1: 

1. randomly pick seed s; 

2. compute w — J-{s, x o y o pk) and use w as randomness; 

3 . randomly pick m <— { 0 , 1 }*^ and sends it to V; 

V-round-2: 

1. increment c; 

2 . compute rhc = Sig(m o c, sk); 

3 . send (f^,mc) to P; 

P-round-3: 

1 . verify that Ver(m o c, rhc, pk) = 1 ; 

2. randomly pick seed s' \ 

3 . compute w' = F {s' ,x o y opko rhc ° c) and use w' as randomness; 

4 . use a 7-secure commitment function Com to compute commitments 

5 i, 02,51,62 where Oj = Com( 0 *^, 1 *^“^) and = Com( 0 *^, ) for j = 1 , 2 ; 

5 . compute Z — ZP{{x, c, oi, 02, 5 i, 62, k, pk), y, 2); 

6. send 01,02,61,62 and Z to V; 

V-decision: verify that the ZAP is valid by running ZV on input instance 
T = (a:, c, oi, 02, 61, 62, fc, pk), initial ZAP-message 2 and ZAP-reply Z. 



Fig. 1. The 3 -round concurrently sound rZK argument for MV in the cPK model. The 
value ki is chosen based on rj, 7 and k (see the proof of concurrent soundness) 



Theorem 1. If, for some positive rj and 7 , there exist an rj-secure digital signa- 
ture scheme, a '-^-secure commitment scheme and suh- exponentially strong ZAPs 
for all MV languages then there exists a 3-round concurrently sound resettable 
zero-knowledge argument system for any language L S MV in the cPK model. 

Proof. Consider the protocol in Figure 1. Completeness follows by inspection. 





Improved Setup Assumptions for 3-Round Resettable Zero Knowledge 539 



Concurrent Soundness. Assume by contradiction that the protocol is not con- 
currently sound; then there exists a malicious prover P* that in a concurrent 
attack has a non-negligible probability of making verifier V accept x for some 
X ^ L. 

We assume we know the session j* of the verifier in which the prover will 
succeed in cheating. This assumption will be later removed. In order to obtain 
a contradiction we show an algorithm A running in time o(2^’’) that breaks 
the 77-secure digital signature scheme SS used in the construction. Algorithm A 
receives a signature public key pk, obtained by running G on input 1 *, has access 
to P* and to a signing oracle O for a public key pk and outputs a signature of 
a message for which the oracle had not been queried. 

We now describe algorithm A. On input challenge public key pk, A performs 
the set-up procedure and builds the public entry of the verifier as (pk, z) where 
z is the output of algorithm ZG on input 1 *. Algorithm A starts the interaction 
with the prover P* and, for all sessions j constructs the message to be sent in the 
second round of the protocol by following the verifier’s algorithm and by resorting 
to the oracle O to compute signatures of messages moc, for messages m received 
from P* . At the end of session j*, since x ^ L then, by the soundness of the ZAP 
{ZG, ZP, ZV), it must be the case that P* has exhibited commitments 01,0,2 
of two different messages oi , 02 and commitments &i , &2 of two signatures 61 , 62 
such that, bi is a signature of oi and &2 is a signature of 02. Moreover, messages 
oi and 02 have the value of the counter chosen by P* for the j*-th session as 
suffix. Then A in time O(P 0 LY(fci) • 2 ^^^) breaks the secrecy of the commitments 
and obtains the two messages along with their corresponding signatures. Now, 
A has queried the oracle for public key pk once for each value of the counter 
(we remind the reader that the adversary P*, for each value of the counter, is 
allowed to run the verifier at most once) and thus A has not queried the oracle 
for at least one of oi o c or 02 o c. By picking ki such that kj < k^, we have that 
A runs in time o(2^’’) and we have reached a contradiction. 

In our proof we assumed that A knows the value j*. If this is not the case that 
A can simply guess the value and the same analysis applies since this decreases 
only by a polynomial factor the probability of breaking the digital signature 
scheme. Moreover A can also try to break all the commitments of all sessions, 
since the running time will still be o(2^'’). 

Resettable Zero Knowledge. Let V* be an (s, t)-resetting verifier. We next de- 
scribe a probabilistic polynomial-time algorithm S = S'^ that has black-box 
access to V* and whose output is computationally indistinguishable from the 
view of the interactions between P and V* . 

The simulator S receives from V* requests that can be described wlog by 
a quadruple (x,i,r,v), where x denotes the input instance for language L, i 
denotes the index of the public key with respect to which the interaction has 
to be simulated, r is the index of the random tape that must be used in the 
simulation, v is the index of the message that S must send (and, for our specific 
protocol, u = 1 or V = 3 ). We remark that the resetting adversary V* is allowed 
to reset the prover to any previous state and even request that a different random 
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tape has to be used (however, V* is not allowed to feed the prover with a random 
tape of its choice). 

Simulator S maintains several data structures which will be implicitly used 
in its description below and performs all the consistency checks requested by 
the protocol (for example, that the signatures received are valid). In addition, 
S also builds a table S{i,c) of signatures with entry (i,c) holding signatures of 
messages with suffix c computed with respect to the i-th public key. 

The interaction between V* and S consists of essentially four types of re- 
quests. Indeed, two rounds of the argument system are played by the prover and 
we distinguish two cases depending on whether or not the same round has been 
requested since the last rewind by the verifier. 

1. The request is (cc,f,r, 1) and it is the first such request since last rewind. 

In this case, S follows exactly the prover’s algorithm using the r-th random 
tape as source of randomness. 

2. The request is (a;,t,r, 1) and such request has already been presented to S 
by V* since last rewind. 

In this case, S re-plays the same message used in the previous round. 

3. The request is {x, i, r, 3) and S has already received such a request since the 
last rewind. 

In this case, S re-plays the same message used in the previous round. 

4. The request is {x, i, r, 3) and S has not received such a request since the last 
rewind. Let c be the value of the counter declared by V* in the message just 
preceding the request. We have two sub-cases: 

(a) S(i,c) contains two (or more) signatures. 

In this case S uses two signatures from S(i, c) as witness to compute the 
last message of the ZAP. 

(b) S(i,c) contains one signature. 

S has obtained the signature in the second round played by V* (the case 
in which |S'(f, c)| =0 and S has to play the third round cannot happen). 
In this case S needs to obtain a second signature with suffix c in order 
to be able to compute the last message of the ZAP. Thus, S starts a 
look-ahead for (i, c). More precisely, S rewinds V* to the state just after 
he has sent the first request (x, i, r, 1) (notice that since V* is a resetting 
adversary, there could be several such requests) and uses a new random 
string r' instead of r. S will repeat such a rewind strategy until a rewind 
ends by appending a second entry to (i,c). 

As we shall argue, the simulation will halt in expected polynomial-time 
as the number of pairs (f, c) (and thus the number of look-aheads) is 
bounded by s{n)t{n) which is a polynomial (we are considering by defi- 
nition an (s, ^(-resetting verifier). 

The Views Are Indistinguishable. The first message played by S in each session 
has exactly the same distribution of the one played by the prover since S simply 
runs the prover’s algorithm. We stress that even though after each rewind S 
changes one randomness rg for a given g G {!,..., s(n)}, V* is not aware of such 
an update since its view does not go back with respect to the last rewind. 
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The third round played by S has the following two differences with respect 
to the one played by the prover. 

1. The prover commits to junk bits (the 0* strings) while the simulator com- 
mits to a pair of different messages with the same suffix, along with their 
signatures with respect to a given public key. By the computational hiding 
of the commitment scheme, V* does not distinguish the commitments of S 
from the commitments of the prover. More formally, if V* distinguishes with 
non-negligible probability the commitments of S from the commitment of 
P, then V* can be used to contradict the hiding of the commitment scheme. 

2. The prover uses y such that {x,y) G Rl in order to compute the auxiliary 
witness for running ZP on input the auxiliary statement “r G T” . Instead, 
the simulator uses his knowledge of the different messages with c as suffix 
along with their signatures to compute the auxiliary witness for “r G A” . 
Both the prover and S follows the honest prover algorithm for the ZAP by 
running ZP on a good witness for the auxiliary statement. Therefore, an 
adversarial verifier V* that distinguishes the witness used by the simula- 
tor from the one used by an honest prover can be used to contradict the 
witness-indistinguishability of the ZAP. Note that in our implementation of 
the ZAP the prover uses as randomness a pseudorandom string of both z and 
the message sent by the verifier. Therefore, as remarked in [21, 22], this imple- 
mentation of ZAP preserves witness-indistinguishability even in case of reset 
attacks, i.e., the implemented ZAP is a resettable witness-indistinguishable 
proof system. 

The Simulation Ends in Polynomial Time. S has to compute two messages for 
each session. Note that for the first message, S always performs a straight-line 
simulation since the first round of a session is played by running the prover 
algorithm, and since no witness is needed, it can be computed by S without 
rewinding V*. 

The analysis is more complicated for the second message. First of all, observe 
that the simulator starts a new look-ahead procedure only after receiving a 
request (x, i, r, 3). Such a request is immediately preceded by a message from V* 
containing one valid signature for a pair (i, c) for which S(i, c) was empty before 
the request (for otherwise, no look-ahead procedure would be started since S has 
at least 2 valid signatures). In other words, the simulator starts a look-ahead 
procedure only after receiving a useful signature. However, observe that both the 
number of entries in the public file (and thus the number of possible values of 
i) and the number of possible values of the counter are bounded by the running 
time of the adversary V* that is assumed to be polynomially bounded. Next, we 
argue that the contribution of each entry to the expected work of the simulator 
is also polynomially bounded. Roughly speaking, the contribution of each pair 
(i, c) is equal to the probability that counter c appears in a session with public 
key pkj times the number of rewinds needed to have a new session with the same 
public key and the same value of the counter in which we ask for the signature of 
a different message. It is easy to see that this quantity is polynomially bounded. 
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4.2 Three-Round CZK Argument of Knowledge in the cPK Model 

In this section we present a three-round concurrently-sound concurrent zero- 
knowledge argument of knowledge in cPK for any language L G AfV under stan- 
dard intractability assumptions. 

The argument of knowledge that we present is derived from the argument 
of membership of the previous section by replacing the ZAP with a 3-round 
witness-indistinguishable proof system to prove a statement of the form “a V /3” 
where a is known at the beginning of the protocol while {3 is known only in 
the last round. Additionally, we need witness extraction with respect to a. An 
implementation of this primitive can be given by using a variation of the protocol 
presented in [25] (this is also used in [26]). 

To prove the properties of our construction, we assume the existence of sig- 
nature and commitment schemes secure with respect to polynomial-time ad- 
versaries, and the existence of the mentioned 3-round witness-indistinguishable 
proof system of membership tt for any NP language (which can, in turn, be based 
on the existence of one-way permutations) . We use this proof system as a black 
box and denote the messages computed in it as {wii,wi2, wis), where wii is sent 
by the prover, wi2 is sent be the verifier and wi^ is sent by the prover again. 
Note that in order to prove that x G L, for some NP language L, the message 
wii can be computed in polynomial time given only the length value |x| (that 
is, neither x nor a witness for it is necessary). 

The Public File. Let k be the security parameter. The i-th entry of the public 
file F consists of a randomly generated public key pk with security parameter 
k for the secure signature scheme SS and of the first round of a two-round 
computationally-binding perfectly-hiding commitment scheme. 

Private Inputs. For the statements “x G L”, the private input of the prover 
consists of a witness y for x G L. The private input of the verifier consists of the 
private key sk corresponding to the public key pk and a counter c. 

The Protocol. Suppose that the prover wants to prove that x G L and that the 
verifier knows the private key sk of the i-th public key pk of the public file F. 

In the first round P randomly picks string m of length fc, computes wi\ 
according to the proof system tt, and sends the pair (m, tt) to V. Then V in- 
crements c and uses the private key sk to compute a digital signature rhc of 
m o c, computes message wi2 and sends the triplet (P, rhc, wi2) to P. In the 
last round P verifies that rhc is a valid signature of m o c with pk and computes 
the commitments hi, 02, 61,62 of 0^. Then P computes message wis according 
to proof system tt by using instance (a;, c, hi, 62, 61, 62, A: , pk) and string y as the 
input and witness for tt, respectively. P sends wi^, hi, 62, 61, 62 to V. Finally, V 
verifies that {wi\,wi2,wi^) is valid by running the verifier’s accepting predicate 
in proof system tt, using as input the instance {x, c, hi, h2, 61, 62, k, pk). 
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Theorem 2. If there exist one-way permutations, then there exists a three- 
round concurrently-sound concurrent zero-knowledge argument of knowledge for 
MV in the cPK model. 

The proof of Theorem 2 is omitted from this extended abstract. 



5 Conclusion 

In this paper we have presented a 3-round concurrently-sound resettable zero- 
knowledge argument system in the cPK model that improves the previous works 
of Micali and Reyzin [17] and Zhao et al. [18]. The cPK model is only a slight 
variation of the BPK model, and we have shown that it can be used to go beyond 
the barrier of four rounds needed for concurrent soundness in the BPK model. Our 
result makes a big step for closing the gap between a public-key model that ad- 
mits three-round concurrently-sound resettable zero-knowledge arguments and 
the BPK model. Moreover, we have shown a 3-round concurrently-sound concur- 
rent zero-knowledge argument of knowledge in the cPK model under standard 
intractability assumptions. 
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